Every two minutes Pyrenth checks each control against the running application and updates the list below. No patient health information appears here. The real evidence files a third party assessor reviews sit behind the assessor sign in.
| Control | Framework | Status | Detail |
|---|---|---|---|
| CURES-G10 | HHS-ONC | Pass | FHIR R4 API base URL configured (http://localhost:3001/api/fhir/r4); 45 CFR 170.315(g)(10) compatible (production-shape=false) |
| CURES-IB | HHS-ONC | Pass | 21st Century Cures Act information-blocking policy documented |
| USCDI | HHS-ONC | Pass | USCDI v3 data classes implemented |
| PATIENT-API | HHS-ONC | Pass | Patient-facing API at http://localhost:3001/api/portal; Cures Act mandates patient access (production-shape=false) |
| ONC-ATCB | HHS-ONC | Not applicable | ONC certification not required for VA direct EHR integration; needed only for Medicaid incentive billing |
| SMART-FHIR | HHS-ONC | Not applicable | SMART app launch optional for VA direct integration; required only for app marketplace |
| HIPAA-164.312(a)(2)(iv) | HHS-ONC | Not applicable | HIPAA 164.312(a)(2)(iv) Encryption and Decryption satisfied AT STRENGTHENED level: 3 of 3 customer key custody layers verified (S3 PHI buckets, Cognito signing, RDS storage). Above-baseline evidence: s3-phi-bucket-customer-managed-cmk, cognito-signing-customer-managed-cmk, rds-customer-managed-cmk-with-rotation. |
| HIPAA-164.312-D | HHS-ONC | Not applicable | Cognito not stood up yet; HIPAA 164.312(d) Person or Entity Authentication currently satisfied by Better Auth session layer. After Cognito deploy the identity-provider layer adds MFA enforcement on top. |
| PART2-COGNITO | HHS-ONC | Not applicable | Cognito not stood up yet; 42 CFR Part 2 phi_scope handling currently satisfied by Better Auth session + part2-consent.ts guard. Cognito custom attribute wires in after deploy. |