Skip to main content
Encore OS treats substance-use disorder (SUD) records as a privacy-segmented class under 42 CFR Part 2 and DS4P. When data leaves the system through an export, the platform applies a field-level treatment to PII/PHI before the row is written. This page documents both halves of that control: the enforced rule set (generated from the code that runs it) and the rationale for why each field is treated the way it is (hand-written, and the part an auditor reads).
This is a hybrid page (PF-113). The table below is generated from DEFAULT_PII_FIELDS in code and cannot drift from what actually runs; the surrounding rationale is authored by the compliance owner. The two are composed, not copied.

Enforced rule set

Exports run each row through applyPiiPhiFilter, which applies a per-field treatment. With no tenant override, the platform falls back to the defaults below — the literal, current contents of the enforcing constant: 8 fields are segmented by default; 3 are removed outright (diagnosis, ssn, treatment_notes) rather than masked.

Why removed vs. redacted

Two treatments appear above, and the distinction is deliberate:
  • redact replaces a value with [REDACTED] but keeps the field present. This suits contact/identity fields (email, phone, mrn, date_of_birth) where an export consumer may need to know a value existed without seeing it.
  • remove drops the field entirely so its presence is not even signalled. This is reserved for the most sensitive clinical content — diagnosis and treatment_notes — and for ssn. For SUD records, the diagnosis and clinical notes are exactly the data 42 CFR Part 2 §2.31 governs on re-disclosure; removing rather than masking them is defense-in-depth so a redacted-but-present field can never leak the existence of an SUD condition without a valid Part 2 consent and re-disclosure notice.
This control is one layer of the broader Part 2 posture (consent gating, disclosure logging, emergency override under §2.13). For the authoritative regulatory mapping, owners, and status, see the 42 CFR Part 2 entry in the Regulatory Compliance Tracker.
The defaults are a floor, not the whole control. Per-entity export configuration can tighten (never loosen below) these treatments, and SUD re-disclosure additionally requires consent verification upstream of export. This page documents the default segmentation only.