1. HIPAA (45 CFR 164.502, 164.312(b))
Controls
Test Coverage
- RLS tests:
tests/rls/ce-lead-conversions.rls.test.ts— org isolation, immutability - Payload audit: Event payload verified IDs-only in code review
2. 42 CFR Part 2 (SUD Confidentiality)
Controls
Notes
- CE-29 events carry zero clinical content — they are ID-based pointers only
- The PM subscriber (
handleLeadConvertedToPatient) reads contact data server-side, never exposing it in event payloads - Full Part 2 consent enforcement is deferred to CL-11 integration per spec Clarifications
3. AHCCCS 320-O (Screening Documentation)
Controls
Notes
- AHCCCS 320-O requires 18 assessment elements documented in the clinical record
- CE-29 captures the conversion decision point; full clinical documentation is CL-02/CL-04 responsibility
- The
data_mappingJSONB field provides extensibility for org-specific screening fields
4. Cross-Reference
5. References
- Spec:
specs/ce/specs/CE-29-lead-to-patient-conversion-pipeline.md - Tasks:
specs/ce/tasks/CE-29-TASKS.md - Compliance Tracker:
docs/compliance/CE_COMMUNICATIONS_COMPLIANCE_TRACKING.md - Regulatory Tracker:
docs/compliance/REGULATORY_COMPLIANCE_TRACKER.md - RLS Tests:
tests/rls/ce-lead-conversions.rls.test.ts