Compliance Posture

Compliance built in, not bolted on.

Most EHRs treat 42 CFR Part 2 as a checkbox. Auxo enforces it at the middleware layer — the only place it can’t be forgotten. Sleep better. Survey easier. Defend cleaner.

Walk through our compliance posture Request our BAA

The 42 CFR Part 2 problem

Most EHRs treat SUD records like any other PHI. That’s a federal violation.

42 CFR Part 2 isn't HIPAA — it's stricter. Substance use records require explicit consent for disclosure, separate audit trails, and re-disclosure warnings on every export. Auxo enforces all three automatically.

Treatment-staff exemption

Clinicians, therapists, and nurses bypass consent checks for the patients they're treating — exactly as Part 2 allows.

Consent enforcement

Non-clinical roles must have an active ConsentForDisclosure with includesSudRecords:true to see SUD data. No consent = no record.

Parallel audit trail

Every SUD-record read writes to SudAuditLog — separate from AuditLog so federal surveyors get a clean export.

Mandatory re-disclosure notice

Every API response carrying SUD data appends the federally-required re-disclosure language. Your integrations are warned.

A focused, quiet workspace — what a defensible record looks like in practice

The compliance stack

Six layers between your data and a breach.

Every read, every write, every download passes through this stack. There’s no admin shortcut, no ‘quick fix’ that bypasses it. By design.

Layer 01

Authentication & RBAC

JWT + role-scoped permissions. Clinical roles get treatment-staff exemption for SUD records. Non-clinical roles require explicit ConsentForDisclosure.

Layer 02

PHI Encryption (at rest)

Field-level AES-256 encryption on every PHI column. Encryption key rotated via PHI_ENCRYPTION_KEY rotation playbook. Never logged, never echoed.

Layer 03

Prisma Middleware Stack

Encrypt → Decrypt → Soft-delete filter → Audit. Four ordered layers run on every read and write. You can’t bypass them by accident.

Layer 04

Dual Audit Logs

AuditLog tracks all PHI access. SudAuditLog runs separately for 42 CFR Part 2 records — a parallel trail your DEA & federal surveys will ask for.

Layer 05

Re-Disclosure Notices

Every API response containing SUD data carries the federally-mandated re-disclosure notice. Your downstream integrations get the warning automatically.

Layer 06

Network & Storage

Encrypted enterprise object storage with server-side encryption. Signed URLs only. Rate limiting on public endpoints. Circuit breakers on every third-party call.

Standards we respect

The acronyms your survey will ask about.

HIPAA

Privacy + Security Rules

42 CFR Part 2

SUD confidentiality

HITECH

Breach notification

TX HSC §181

Texas Med Privacy Act

21 CFR Part 11

E-signature integrity

NIST 800-66

HIPAA Security mapping

HL7 / FHIR R4

Interoperability

SOC 2

In progress 2026

Talk to compliance