> ## Documentation Index
> Fetch the complete documentation index at: https://docs.encoreos.io/llms.txt
> Use this file to discover all available pages before exploring further.

# HIPAA & 42 CFR Part 2 Compliance Evidence

> Evidence for intake screening and triage safeguards under HIPAA and 42 CFR Part 2.

**Date:** 2026-03-28\
**Reviewer:** AI Agent (post-implementation review)

***

## 1. PHI Handling

| Control       | Implementation                                                                            | Evidence                                                                           |
| ------------- | ----------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------- |
| PHI at rest   | Supabase encryption; screening data in `ce_screening_attempts` and `ce_screening_results` | Tables created via migration with RLS                                              |
| PHI in events | Event payloads contain only IDs and flags; no free-text clinical data                     | `useCreateScreening.ts` — payload construction excludes `chief_complaint`, `notes` |
| PHI in logs   | No PHI logged; synthetic data in tests                                                    | Test files use `Test-CE-28-*` naming                                               |
| PHI in errors | `sanitizeErrorMessage()` used in all user-facing error handlers                           | Component files use sanitized errors                                               |

## 2. 42 CFR Part 2 Consent Gating

| Control                    | Implementation                                                                                 | Evidence                                      |
| -------------------------- | ---------------------------------------------------------------------------------------------- | --------------------------------------------- |
| Consent capture            | `consent_obtained`, `consent_method`, `consent_recorded_at` columns on `ce_screening_attempts` | Migration file                                |
| Consent gating on events   | `ce_screening_completed` only published when `consent_obtained === true`                       | `useCreateScreening.ts` — conditional publish |
| Consent metadata in events | `consent_recorded_at` included in event metadata                                               | Event payload construction                    |
| Consent UI                 | Form requires consent checkbox before submission                                               | `ScreeningForm.tsx` — consent fields          |

## 3. Tenant Isolation

| Control                  | Implementation                                                                                            | Evidence                                                                |
| ------------------------ | --------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------- |
| RLS on all tables        | `ce_screening_attempts`, `ce_screening_results`, `ce_screening_questionnaires`, `ce_screening_sla_config` | Migration with `ENABLE ROW LEVEL SECURITY` + `FORCE ROW LEVEL SECURITY` |
| SECURITY DEFINER helpers | `ce_can_view_screening()` with REVOKE/GRANT pattern                                                       | Migration file                                                          |
| org\_id on mutations     | All hooks use `.eq('organization_id', orgId)`                                                             | Hook files                                                              |
| RLS tests                | 4 test files covering all tables                                                                          | `tests/rls/ce-screening-*.rls.test.ts`                                  |

## 4. Access Control

| Control            | Implementation                                                    | Evidence                              |
| ------------------ | ----------------------------------------------------------------- | ------------------------------------- |
| Permission gating  | `ce.screening.view`, `ce.screening.create`, `ce.screening.manage` | Permission constants + seed migration |
| Route-level guards | `<PermissionGate>` on screening route                             | Route configuration                   |
| No hardcoded roles | Permission hooks used throughout                                  | Component files                       |

***

## Summary

CE-28 meets HIPAA Privacy Rule and 42 CFR Part 2 requirements for:

* PHI protection (encryption at rest, no PHI in events/logs)
* SUD consent gating (3-field consent capture, event-level enforcement)
* Tenant isolation (RLS + application-level org\_id filtering)
* Access control (permission-based, not role-based)

**Status:** ⚠️ Implementation complete for Phase 1+1.5 scope — formal compliance sign-off pending
