Skip to main content

1. HIPAA (45 CFR 164.502, 164.312(b))

Controls

Test Coverage

  • RLS tests: tests/rls/ce-lead-conversions.rls.test.ts — org isolation, immutability
  • Payload audit: Event payload verified IDs-only in code review

2. 42 CFR Part 2 (SUD Confidentiality)

Controls

Notes

  • CE-29 events carry zero clinical content — they are ID-based pointers only
  • The PM subscriber (handleLeadConvertedToPatient) reads contact data server-side, never exposing it in event payloads
  • Full Part 2 consent enforcement is deferred to CL-11 integration per spec Clarifications

3. AHCCCS 320-O (Screening Documentation)

Controls

Notes

  • AHCCCS 320-O requires 18 assessment elements documented in the clinical record
  • CE-29 captures the conversion decision point; full clinical documentation is CL-02/CL-04 responsibility
  • The data_mapping JSONB field provides extensibility for org-specific screening fields

4. Cross-Reference


5. References

  • Spec: specs/ce/specs/CE-29-lead-to-patient-conversion-pipeline.md
  • Tasks: specs/ce/tasks/CE-29-TASKS.md
  • Compliance Tracker: docs/compliance/CE_COMMUNICATIONS_COMPLIANCE_TRACKING.md
  • Regulatory Tracker: docs/compliance/REGULATORY_COMPLIANCE_TRACKER.md
  • RLS Tests: tests/rls/ce-lead-conversions.rls.test.ts