- 45 CFR 162 — X12 5010 transaction continuity
- 45 CFR 164.308(b)(1), 164.502(e) — Business Associate Agreement (BAA) controls
- 45 CFR 164.312(a)(2)(iv) — Credential encryption at rest
- 45 CFR 164.312(b) — Audit controls
- 45 CFR 164.312(e)(2)(ii) — PHI encryption in transit
1. Scope
PM-15-P2-EN-01 extends the PM-15-P2 single-vendor (Waystar) baseline with:- Secondary clearinghouse adapters (Availity, Change Healthcare) gated behind a recorded BAA approval per organization.
- Per-payer route overrides (
pm_payer_clearinghouse_routes). - Health-aware failover with a configurable degradation threshold (
pm_clearinghouse_config.failover_*). - Audited failover transitions (config changes + runtime route flips) written to
pm_audit_log.
2. Vendor Adapter Inventory
Stubs MUST NOT carry PHI until the secondary’s BAA gate (§4) is satisfied and transport hardening is signed off.
3. Routing Precedence (Continuity — 45 CFR 162)
Implemented byresolveVendorRoute() (src/cores/pm/services/clearinghouse/router.ts). Pure, deterministic, unit-tested.
- Per-payer override (
pm_payer_clearinghouse_routes.preferred_vendor). - Configured primary vendor (
pm_clearinghouse_config.clearinghouse_provider). - Configured secondary vendor — only when failover is enabled, secondary is configured, and the primary has been continuously unhealthy for ≥
failover_threshold_minutes.
src/cores/pm/services/clearinghouse/router.test.ts (6 cases — payer override, disabled failover, no secondary, healthy primary, threshold-not-met, threshold-met failover).
4. BAA Gate (45 CFR 164.308(b)(1), 164.502(e))
- The Failover Settings UI (
src/cores/pm/components/clearinghouse/FailoverSettingsCard.tsx) readspm_clearinghouse_config.custom_fields.baa_approved_vendors: string[]. - The Save action and the failover-enabled toggle are blocked when the chosen secondary vendor is not present in the approved list.
- User-visible copy when blocked: “This vendor cannot be enabled until compliance approval is recorded.” (per
PM-15-P2-EN-01-CONTEXT.md§Example Phrasing). - Storage location is interim — a dedicated
pm_clearinghouse_baa_approvalstable is tracked as a follow-up inspecs/pm/IMPLEMENTATION_LOG.md.
5. Audit Controls (45 CFR 164.312(b))
Two complementary audit paths, both PHI-free:
Runtime emission is deduplicated by an in-memory (org, payer) cache so steady-state routing does not spam the audit log; only transitions are written. Failures are sent to Sentry and never block transaction submission.
Tests:
src/cores/pm/services/clearinghouse/audit.test.ts (4 cases — first decision, dedupe on no-op, transition row, payer scoping).
6. Credential & Transport Security (45 CFR 164.312(a)(2)(iv), 164.312(e)(2)(ii))
Inherits all PM-15-P2 controls. No additional credential surface is introduced by EN-01:- Vendor credentials remain in Edge Function Secrets (
Deno.env.get); no credentials in DB, logs, or app state. - All vendor traffic is HTTPS (TLS 1.2+); REST-only transport (SFTP deferred).
- Failover settings store only vendor codes, booleans, and integer thresholds — no credentials, no PHI.
7. Tenant Isolation (Constitution §5.1)
pm_clearinghouse_config,pm_payer_clearinghouse_routes, andpm_audit_logare allorganization_id-scoped withFORCE ROW LEVEL SECURITY.- All hooks scope reads/writes by
useOrganization()and filter mutations onorganization_id. - RLS test:
tests/rls/pm/pm-clearinghouse-failover.test.ts.
8. Test Inventory
9. Seed Test Data
Synthetic, PHI-free fixtures scoped to NorthSight Recovery:supabase/seeds/pm/pm-15-p2-en-01-test-data.sql
(Test-PM-15-P2-EN-01-Normal, -Edge, -Empty). Apply via Supabase Studio SQL editor against the dev project.
10. Open Follow-Ups
Tracked inspecs/pm/IMPLEMENTATION_LOG.md → PM-15-P2-EN-01:
- Mobile Sheet variant for
PayerRoutesTableadd/edit flows. - Replace ad-hoc empty-state copy with shared
<EmptyState />. - Edge-function (server-side) clearinghouse transport for the secondary adapters.
- Dedicated
pm_clearinghouse_baa_approvalstable to replace the JSONB interim store. - Server-side router-driven audit emission once submission moves to edge functions (current emission is client-side only).