- Explicit consent for every disclosure (not the HIPAA TPO carve-out)
- Re-disclosure notice appended to every shared SUD record
- Specific recipient named in the consent
Medera’s implementation
-
Guardrail rule
substance_use_42cfr2runs on every workflow that touches SUD data - Consent state is stored per patient per recipient
- Re-disclosure notices are generated automatically on every export
- Audit log records every consent grant, revocation, and disclosure