> ## Documentation Index > Fetch the complete documentation index at: https://docs.encoreos.io/llms.txt > Use this file to discover all available pages before exploring further. # Compliance Evidence Packages > Last Updated: 2026-04-12 **Last Updated:** 2026-04-12 This directory contains compliance evidence packages — documents that tie specific feature implementations to their regulatory requirements. Evidence packages are required for any feature that touches a regulated area (CL, PM, HR, RH, GR, FA, IT, CE, PF). ## What is a Compliance Evidence Package? A compliance evidence package proves that a specific implementation satisfies a specific regulatory requirement. It contains: 1. **Regulatory requirements table** — the specific clauses/requirements from the regulation 2. **Implementation evidence** — code references, schema elements, UI components, test names that satisfy each requirement 3. **Test evidence** — unit/integration/RLS test names that verify the implementation 4. **Gaps** — any requirements not yet implemented (with tracking references) ## When to Create an Evidence Package Create an evidence package when: * A spec targets a regulated requirement (42 CFR Part 2, HIPAA Security Rule, AHCCCS 320-O, FLSA, etc.) * The feature is marked "implemented" or "partial" in the relevant compliance tracker * Preparing for an audit, accreditation survey, or compliance review * A regulator or payer requests documentation of compliance Reference `docs/compliance/REGULATORY_COMPLIANCE_TRACKER.md` to find requirements that need evidence packages. ## How to Create an Evidence Package 1. **Identify the requirement:** Find the row in the relevant compliance tracker (e.g., `REGULATORY_COMPLIANCE_TRACKER.md`). 2. **Copy the template:** Use `specs/_templates/COMPLIANCE_SIGNOFF_TEMPLATE.md` as a starting point. For detailed evidence, use the `CL-11-EN-01-42cfr-part2-EVIDENCE.md` file in this directory as a model. 3. **Name the file:** `{SPEC-ID}-{REGULATION-ABBREVIATION}-EVIDENCE.md` (e.g., `CL-11-EN-01-42cfr-part2-EVIDENCE.md`) 4. **Complete each section:** * Regulatory requirements addressed (table with: Requirement, Implementation, Evidence) * Test coverage (list of test files/names) * Gaps (requirements not yet implemented, with spec/task references) 5. **Link from the compliance tracker:** Add a link to the evidence file in the corresponding tracker row. ## Coverage Audit Run the evidence coverage audit to see which implemented/partial requirements lack evidence packages: ```bash theme={null} npx tsx scripts/audit/audit-compliance-evidence.ts ``` This script cross-references the compliance tracker against existing evidence files and reports gaps. ## Priority: High-Risk Requirements (Create These First) Based on audit risk and regulatory penalty severity, create evidence packages for these areas first: | Priority | Regulation | Tracker | Required Evidence | | -------- | ------------------------------------------ | -------------------------------------- | ------------------------------------------------ | | 1 | 42 CFR Part 2 (SUD data) | REGULATORY\_COMPLIANCE\_TRACKER.md | Consent, disclosure, gating | | 2 | HIPAA Security Rule technical safeguards | IT\_SECURITY\_COMPLIANCE\_TRACKING.md | Access control, audit logging, encryption, MFA | | 3 | AHCCCS Policy 320-O (clinical assessments) | REGULATORY\_COMPLIANCE\_TRACKER.md | 18 required assessment elements | | 4 | HIPAA Privacy Rule PHI handling | REGULATORY\_COMPLIANCE\_TRACKER.md | PHI classification, access controls, disclosures | | 5 | FCRA adverse action notices | FCRA\_TCPA\_COMPLIANCE\_TRACKING.md | Background check workflow, adverse action | | 6 | FLSA overtime tracking | HR\_WORKFORCE\_COMPLIANCE\_TRACKING.md | Time/attendance, overtime calculation | ## Current Evidence Packages | File | Feature | Regulation | Status | | ---------------------------------------------------------------------------------------------- | --------------------------------- | --------------------- | ---------- | | [CL-11-EN-01-42cfr-part2-EVIDENCE.md](42cfr-part2-evidence-cl-11-en-01.md) | Electronic consent & redisclosure | 42 CFR Part 2 | ✅ Complete | | [CL-02-EN-58-42cfr-part2-EVIDENCE.md](42cfr-part2-evidence-cl-02-en-58.md) | CL-02 Part 2 compliance | 42 CFR Part 2 | ✅ Complete | | [PM-15-P2-HIPAA-EDI-EVIDENCE.md](hipaa-edi-evidence.md) | HIPAA EDI / clearinghouse | HIPAA EDI (X12) | ✅ Complete | | [PM-25-HIPAA-CMS-VBP-EVIDENCE.md](hipaa-cms-vbp-evidence.md) | CMS Value-Based Purchasing | CMS-0057-F | ✅ Complete | | [CE-28-HIPAA-PART2-EVIDENCE.md](hipaa-part2-evidence.md) | CE HIPAA/Part 2 | HIPAA + 42 CFR Part 2 | ✅ Complete | | [CE-29-HIPAA-PART2-320O-EVIDENCE.md](hipaa-part2-320o-evidence.md) | CE HIPAA/Part 2 320-O | HIPAA + AHCCCS 320-O | ✅ Complete | | [HR-09-EN1-EEOC-TITLE-VII-EVIDENCE.md](en1-eeoc-title-vii-evidence.md) | EEOC Title VII compliance | Title VII, ADA, GINA | ✅ Complete | | [HR-34-IRS-worker-classification-1099-EVIDENCE.md](irs-worker-classification-1099-evidence.md) | IRS 1099 worker classification | IRS (26 USC) | ✅ Complete | ## Related * `docs/compliance/REGULATORY_COMPLIANCE_TRACKER.md` — master compliance status * `specs/_templates/COMPLIANCE_SIGNOFF_TEMPLATE.md` — sign-off template * `scripts/audit/audit-compliance-evidence.ts` — coverage audit script * `AGENTS.md §Regulatory Compliance Decision Tree` — what regulations apply to each core