# athenaOne Solution Validation Plan

## What is Solution Validation?

athenahealth reviews your integration to verify it works correctly, handles errors gracefully, stays within API limits, and protects PHI. They test against their checklist before granting production access.

## Pre-Validation Checklist (Do Before Submitting)

### 1. Sandbox Testing — Complete All Use Cases

| Test | How to Test | Expected Result | Status |
|------|------------|-----------------|--------|
| **OAuth2 token** | Ping from Athena dashboard tab | Token obtained, ping succeeds | Can test now |
| **Patient lookup** | Enter sandbox patient ID in Verify panel | athenaOne patient data returned | Can test now |
| **Department list** | Click Browse Departments | 32 sandbox departments listed | Can test now |
| **Upload PDF from web** | Upload a test result via dashboard | Document ID returned, visible in sandbox | Can test now |
| **Upload PDF from app** | Tap Athena button after scoring | Document ID returned, success snackbar | Can test now |
| **No realPatientId** | Try upload for patient without athena ID | Error dialog, upload blocked | Can test now |
| **Bad credentials** | Test with wrong encryption_key | "Invalid user credentials" error | Can test now |
| **Missing fields** | POST without athena_patient_id | Clear error message listing missing fields | Can test now |
| **Invalid patient ID** | Use non-existent athena patient ID | Graceful error from athenaOne, shown to user | Can test now |
| **Large PDF** | Generate a detailed report with all sections | Upload succeeds within 30s timeout | Can test now |
| **Token expiry** | Wait >1 hour, then upload | Auto-refreshes token, upload succeeds | Can test now |

### 2. Error Handling Verification

| Scenario | Expected Behavior |
|----------|------------------|
| athenaOne API down | Timeout after 20s, user sees "Athena API request failed" |
| Invalid token | Re-authenticates automatically (cache expires) |
| Network interruption mid-upload | Error shown, no partial data left on server |
| Temp file cleanup | Verify no orphaned PDF files in /tmp after uploads |
| Duplicate upload | athenaOne creates a new document (no dedup needed) |

### 3. Security Review

| Check | How to Verify |
|-------|--------------|
| client_secret not in git | `grep -r "client_secret" .git/` returns nothing |
| client_secret not in app | Search APK/IPA for the secret string — not present |
| Error messages sanitized | Trigger errors, verify no stack traces or API keys in responses |
| HIPAA audit log working | Upload a document, check `test/logs/athena_hipaa_audit.log` |
| No PHI in error logs | Check `logs/athena_send.log` — only IDs, no patient names |
| Token cache permissions | `ls -la /tmp/athena_token_cache.json` shows 600 |
| Config file permissions | `ls -la athena_config.json` shows 600 |

### 4. Rate Limit Compliance

| Check | Expected |
|-------|----------|
| Estimated daily calls | 20-60 (well within limits) |
| Token caching | Yes — ~1 token request per hour, not per API call |
| No bulk data pulls | Confirmed — single-patient queries only |
| No appointment queries >7 days | N/A — we don't query appointments |
| Pagination on departments | Yes — 100 per page, max 1000 |

## Validation Steps (In Order)

### Phase 1: Internal Testing (Now)
1. Run through all sandbox tests above from both the app and web dashboard
2. Verify all error scenarios
3. Check all logs for correctness
4. Document results with screenshots

### Phase 2: Submit Tech Spec
1. Fill in remaining TODOs (practice name, practice ID)
2. Attach polished workflow graphic
3. Submit to athenahealth contact
4. They review and may ask questions — respond promptly

### Phase 3: Production Credentials
1. athenahealth issues production client_id/client_secret
2. Update athena_config.json:
   - `base_url`: `https://api.platform.athenahealth.com` (remove "preview")
   - `client_id`: new production value
   - `client_secret`: new production value
   - `practice_id`: real practice ID
3. Test token authentication against production
4. Do NOT upload test documents to real patient charts yet

### Phase 4: Production Validation
1. athenahealth may run their own tests or ask you to demonstrate
2. Upload a test document to a designated test patient in production
3. Verify document appears correctly in athenaNet
4. Verify audit logs capture the production upload
5. Confirm error handling works against production API

### Phase 5: Go-Live
1. athenahealth confirms Solution Validation passed
2. Practice representative signs the Go-Live Authorization form
3. athenahealth enables full production access (2 business days after signature)
4. Remove sandbox config, confirm production is the only active config
5. Monitor first week of production uploads for issues

## Timeline Estimate

| Phase | Duration | Depends On |
|-------|----------|------------|
| Phase 1: Internal Testing | 1-2 days | Just us |
| Phase 2: Submit Tech Spec | 1 day to finalize, then wait for athena review | Practice name, graphic |
| Phase 3: Production Credentials | 1-2 weeks (athena turnaround) | Tech spec approved |
| Phase 4: Production Validation | 1-3 days | Production credentials |
| Phase 5: Go-Live | 2 business days after signature | Validation passed |

**Total estimated timeline: 3-5 weeks from submission**

## What We Can Do Right Now

1. Run all Phase 1 sandbox tests
2. Get the workflow graphic created (give the prompt to ChatGPT/Gemini)
3. Get the practice name and production practice ID from the client
4. Finalize and submit the tech spec