Every US healthcare provider is required by law to hold an NPI. The Edge Function hits the live federal NPPES API, confirms the number is active, cross-references the registered name, and validates that the taxonomy code matches a mental health specialty (LCSW, LMFT, PsyD, PhD, MFT, etc.).

Checks the federal List of Excluded Individuals/Entities. Providers on this list are legally barred from participating in Medicare, Medicaid, and all federal healthcare programs. Hard rejection if a match is found. Falls back to manual review if the API is unreachable.

DEA number checksum catches typos and fake numbers. License expiry compares the submitted date against today. Duplicate NPI guard prevents the same federal provider number from being used across multiple accounts.

SAM.gov is the federal register of debarred contractors and sanctioned parties. Catching a debarred provider is rare but a serious compliance win. The API requires a free registration.

1. Register at sam.gov → Account Settings → System Accounts → Request API key
2. Add secret SAM_GOV_API_KEY to Supabase Edge Function secrets
3. Add checkSAMExclusion(npi, lastName, firstName) to verify-therapist/index.ts, calling https://api.sam.gov/entity-information/v3/exclusions
4. Include result in audit log event_detail

The Edge Function already routes unreachable-API cases and taxonomy mismatches to status='pending'. This page gives admins a queue to review those cases, view uploaded credential documents via signed URLs, and approve or reject with a reason.

1. Create admin-verify.html (outlined in the HIPAA plan)
2. Query therapist_verifications WHERE status='pending'
3. Generate 5-min signed URLs for each credential_documents record via supabase.storage.createSignedUrl()
4. Approve → UPDATE therapist_verifications SET status='approved' + write to verification_audit_log
5. Reject → same, plus store rejection reason and trigger Resend email

There is no free national API for state mental health licenses — each of the 50 states runs its own licensing board database. Medallion and Certemy maintain integrations with all 50 state boards and can verify a license number in real time.

1. Sign up at medallion.co or certemy.com
2. Add provider via their API using NPI + license number + state
3. Receive webhook when verification completes (usually <60 sec)
4. Update therapist_verifications.license_verified = true on webhook receipt
5. Set up ongoing monitoring webhooks to catch revocations and renewals automatically

For a platform where clients are in a vulnerable therapeutic relationship, criminal background checks are standard practice. Checkr has a healthcare-specific package and a clean REST API.

1. Create account at checkr.com → apply for healthcare package
2. Add CHECKR_API_KEY to Supabase secrets
3. After NPI is approved, call POST /v1/invitations to email the therapist a consent + background check form
4. Listen to Checkr webhooks → on report.completed → update verification status in Supabase
5. Store checkr_report_id in therapist_verifications for audit trail

The DEA doesn't publish a public API — the checksum validates format only. To confirm a DEA number is genuinely registered, you need a third-party data provider like Veridian or LexisNexis Healthcare.

1. Contact Veridian or LexisNexis Healthcare for DEA verification API access
2. Relevant only for therapists who can prescribe (psychiatrists, NPs) — most LCSWs/LMFTs won't have a DEA number
3. Replace the existing validateDEA() checksum call with a live API call in verify-therapist/index.ts

CAQH is the industry standard credentialing data source used by most US health insurance companies. If you want Self Shelf therapists to accept insurance, CAQH integration is the path. Providers already credentialed with CAQH can authorize your platform to read their profile directly.

1. Apply for CAQH ProView API access at proview.caqh.org (requires organization vetting)
2. Therapists authorize Self Shelf to read their CAQH profile
3. Pull license, malpractice, education, and work history data automatically
4. This largely replaces the manual therapist-verify.html form for insurance-accepting therapists

Session notes and journal entries currently live in localStorage. Under HIPAA, PHI at rest must be encrypted and access-controlled. This means migrating to the session_notes, client_notes, and day_notes Supabase tables that already exist from migration 003.

1. dashboard.html journal writes → INSERT INTO day_notes instead of localStorage.setItem
2. therapist-dashboard.html clinical notes → already partially wired to session_notes, confirm all writes go to DB
3. Add a migration to purge any existing localStorage PHI on next login
4. Supabase AES-256 at rest + TLS in transit covers the HIPAA encryption requirement

Before handling real patient data in production, you need a signed Business Associate Agreement (BAA) with Supabase. This requires Supabase Pro ($25/mo). Resend also has a HIPAA tier for email. The BAA wizard in therapist-verify.html already captures the therapist's agreement on your side.

1. Upgrade Supabase project to Pro ($25/mo) → Settings → Billing
2. Request BAA from Supabase → Settings → Legal → Business Associate Agreement
3. Upgrade Resend to a paid plan and request their HIPAA addendum
4. Create baa.html — full BAA text reference page for therapists