Compliance Documents (v5.1.0)
Introduced in v5.1.0. Adds 5 new compliance document types per client with a dual-signature workflow that involves an external Case Manager.
What is a Case Manager?
A Case Manager is an external user — typically a physician or referring provider — who must review and co-sign certain compliance documents. Case Managers do not have a portal account and never create one.
Dual-Signature Flow
1. Admin generates a compliance document for the client
2. Client signs first (in portal, as usual)
3. System sends an email to the Case Manager with a one-time access link
4. Case Manager opens the link → system sends OTP to their email
5. Case Manager enters OTP → gains temporary access to the document
6. Case Manager reviews, optionally comments, then signs
7. Document is marked fully signedWhy OTP?
SendGrid is not HIPAA-compliant. The email link contains no PHI — it is only a token that triggers a one-time password challenge. The sensitive document content is only accessible after the OTP is verified inside the portal session.
Document Access Rules
| Party | Access method | Has portal account? |
|---|---|---|
| Admin | Normal portal login | Yes |
| Client | Normal portal login | Yes |
| Case Manager | Email link → OTP challenge | No |
Implementation Notes
- The Case Manager flow must never require account creation or registration.
- PHI must not appear in any Case Manager email (subject line or body). See MWE Handover — Email Handling.
- The OTP is single-use and time-limited.
- After both signatures are collected the document is complete; admin can view the fully signed record from the client's Documents section.
Source
Functional Specification Document v5.1.0: 3.1 Functional Documentation/NHC _ v5.1.0 - Functional Specification Document (Client).pdf (7 pages).