Skip to main content
This directory contains compliance evidence packages — documents that tie specific feature implementations to their regulatory requirements. Evidence packages are required for any feature that touches a regulated area (CL, PM, HR, RH, GR, FA, IT, CE, PF).

What is a Compliance Evidence Package?

A compliance evidence package proves that a specific implementation satisfies a specific regulatory requirement. It contains:
  1. Regulatory requirements table — the specific clauses/requirements from the regulation
  2. Implementation evidence — code references, schema elements, UI components, test names that satisfy each requirement
  3. Test evidence — unit/integration/RLS test names that verify the implementation
  4. Gaps — any requirements not yet implemented (with tracking references)

When to Create an Evidence Package

Create an evidence package when:
  • A spec targets a regulated requirement (42 CFR Part 2, HIPAA Security Rule, AHCCCS 320-O, FLSA, etc.)
  • The feature is marked “implemented” or “partial” in the relevant compliance tracker
  • Preparing for an audit, accreditation survey, or compliance review
  • A regulator or payer requests documentation of compliance
Reference docs/compliance/REGULATORY_COMPLIANCE_TRACKER.md to find requirements that need evidence packages.

How to Create an Evidence Package

  1. Identify the requirement: Find the row in the relevant compliance tracker (e.g., REGULATORY_COMPLIANCE_TRACKER.md).
  2. Copy the template: Use specs/_templates/COMPLIANCE_SIGNOFF_TEMPLATE.md as a starting point. For detailed evidence, use the CL-11-EN-01-42cfr-part2-EVIDENCE.md file in this directory as a model.
  3. Name the file: {SPEC-ID}-{REGULATION-ABBREVIATION}-EVIDENCE.md (e.g., CL-11-EN-01-42cfr-part2-EVIDENCE.md)
  4. Complete each section:
    • Regulatory requirements addressed (table with: Requirement, Implementation, Evidence)
    • Test coverage (list of test files/names)
    • Gaps (requirements not yet implemented, with spec/task references)
  5. Link from the compliance tracker: Add a link to the evidence file in the corresponding tracker row.

Coverage Audit

Run the evidence coverage audit to see which implemented/partial requirements lack evidence packages:
This script cross-references the compliance tracker against existing evidence files and reports gaps.

Priority: High-Risk Requirements (Create These First)

Based on audit risk and regulatory penalty severity, create evidence packages for these areas first:

Current Evidence Packages

  • docs/compliance/REGULATORY_COMPLIANCE_TRACKER.md — master compliance status
  • specs/_templates/COMPLIANCE_SIGNOFF_TEMPLATE.md — sign-off template
  • scripts/audit/audit-compliance-evidence.ts — coverage audit script
  • .cursor/rules/regulatory-compliance.md — what regulations apply to each core