Prompt injection in behavioral health and substance use disorder AI

Four adversarial injection surfaces in behavioral health and substance use disorder AI

1. Substance use disorder intake screening document injection (42 CFR Part 2, SAMHSA 42 USC §290bb-2)

Substance use disorder intake screening AI processes AUDIT-C Alcohol Use Disorders Identification Test three-question version scanned paper form images displaying patient self-reported drinking frequency, quantity, and binge-drinking occasion response fields with AI-readable response score annotations, DAST-10 Drug Abuse Screening Tool ten-item scanned form images displaying patient self-reported drug use behaviour response fields with total score tabulation display, ASI Addiction Severity Index multi-domain intake assessment document scan images displaying patient-reported and clinician-rated severity scores across drug use, alcohol use, medical, psychiatric, employment, family, and legal problem domains, CAGE questionnaire four-item scanned form images displaying patient cut-down, annoyed, guilty, and eye-opener response fields with AI-assisted severity classification outputs, and AUDIT-10 full version scanned form images displaying ten-item alcohol use identification response fields from Netsmart CareManager AI at 900 or more healthcare organisations and 950,000 or more care settings processing SUD intake screening document images through AI-assisted SUD admission classification, American Society of Addiction Medicine (ASAM) level-of-care determination, and SAMHSA OTP certification compliance verification tools; Kipu EHR AI at 1,800 or more addiction treatment centres processing SUD intake screening form scan images through AI-assisted ASAM level-of-care classification, clinical protocol compliance verification, and treatment plan generation tools; and Qualifacts CareLogic AI at 400 or more community mental health organisations processing SUD intake screening document scan images through AI-assisted admission classification, dual-diagnosis assessment, and SAMHSA block grant reporting compliance tools — extracting SUD diagnosis severity classifications, ASAM level-of-care placement recommendations, OTP admission eligibility determinations, and SAMHSA programme certification compliance verifications from SUD intake screening form scan image inputs in AI-assisted behavioral health admission pipelines at clinical intake volumes that make individual licensed clinical assessor re-review of every AI-processed screening document impracticable.

The adversarial injection surface is the SUD intake screening form scan image submission pathway: Netsmart CareManager AI, Kipu EHR AI, or Qualifacts CareLogic AI AUDIT-C, DAST-10, ASI, or CAGE scanned form images submitted through AI-assisted SUD admission classification and ASAM level-of-care determination tools for AI severity classification record generation and clinical documentation filing. An adversarially crafted AUDIT-C scanned form image — in which pixel perturbations applied to the patient response bubble-fill display region, the handwritten response field display, the interviewer score tabulation annotation display, or the total score numerical display of the AUDIT-C form image cause the AI to classify a patient with AUDIT-C score of 4 or above (the clinical threshold for identifying hazardous alcohol use in most scoring frameworks) as scoring below the clinical threshold indicating no hazardous use, or to misclassify an ASI composite score indicating high-severity addiction requiring residential level III.5 ASAM care as a low-severity presentation appropriate for outpatient level I care — can suppress a SUD severity indicator that would otherwise generate a high-acuity treatment placement determination, an OTP admission eligibility authorisation, a dual-diagnosis clinical documentation flag, or a SAMHSA 42 CFR Part 2 programme enrolment notification. In behavioral health platforms where Netsmart CareManager AI or Kipu EHR AI processes thousands of SUD intake screening form scan images per day without individual licensed clinical assessor review of every AI-processed form before the AI severity classification governs ASAM level-of-care placement and SAMHSA programme admission decisions, adversarial suppression of SUD severity indicators creates 42 CFR Part 2 SUD records compliance, SAMHSA 42 USC §290bb-2 programme certification, and HIPAA 45 CFR §164.502(b) minimum necessary PHI standard dimensions.

The 42 CFR Part 2, SAMHSA 42 USC §290bb-2, HIPAA 45 CFR §164.502(b), and ASAM Patient Placement Criteria regulatory consequences of adversarially corrupted SUD intake screening classification span 42 CFR Part 2 Substance Use Disorder patient record confidentiality requirements establishing the most restrictive federal health privacy framework — prohibiting disclosure of SUD patient records without explicit written patient consent to any person or entity, including other treating providers, except under enumerated exceptions including medical emergencies, research with IRB approval, and court orders — with civil monetary penalty authority and criminal liability under 42 CFR §2.12 and prior DOJ enforcement practice for knowing violations; the specific concern for adversarial injection is that corrupted AI SUD severity classifications create erroneous 42 CFR Part 2 programme enrolment records that may trigger unauthorised disclosures of patient SUD status to non-programme entities based on false positive AI classifications; SAMHSA 42 USC §290bb-2 OTP and SUD treatment programme certification requirements establishing that SAMHSA-certified OTP programmes must maintain clinical protocols for admission assessment, level-of-care determination, and treatment plan development consistent with SAMHSA Treatment Improvement Protocols (TIPs) — adversarially corrupted AI SUD severity classifications that misplace patients in inappropriate ASAM levels of care create SAMHSA OTP certification compliance violation dimensions; HIPAA 45 CFR §164.502(b) minimum necessary PHI standard requiring that covered entities limit disclosure of PHI to the minimum necessary for each treatment, payment, and healthcare operations purpose — adversarially fabricated or suppressed SUD severity AI classifications create minimum necessary standard violations when erroneous classifications trigger disclosures or withhold disclosures in ways inconsistent with the minimum necessary standard; and ASAM Patient Placement Criteria for the Treatment of Substance-Related Disorders establishing standardised multidimensional assessment criteria for SUD level-of-care placement used in Medicaid managed care prior authorisation, SAMHSA block grant reporting, and commercial insurance prior authorisation determination — adversarially corrupted AI ASAM level-of-care classifications create prior authorisation fraud dimensions. Threshold: 55 for SUD intake screening document injection — reflecting 42 CFR Part 2 SUD confidentiality, SAMHSA 42 USC §290bb-2 programme certification, HIPAA §164.502(b) minimum necessary, and ASAM level-of-care placement accuracy dimensions.

2. Crisis and suicide risk assessment image injection (Joint Commission NPSG 15.01.01, EMTALA 42 USC §1395dd)

Crisis and suicide risk assessment AI processes Columbia Suicide Severity Rating Scale (C-SSRS) paper administration form scan images displaying clinician-rated ideation intensity subscale, behaviour subscale, and overall risk level determination fields with AI-readable response and annotation overlays, PHQ-9 Patient Health Questionnaire nine-item depression severity screening display images showing item-level response scores and total score with clinical severity category annotation, Beck Hopelessness Scale (BHS) paper form scan images displaying 20-item hopelessness belief indicator response fields with AI-classified severity grade output overlay, crisis risk level indicator display images showing AI-generated risk stratification determinations for low, moderate, high, and imminent risk categories with recommended disposition and safety planning action triggers, Suicide Assessment Five-step Evaluation and Triage (SAFE-T) protocol documentation display images showing five-domain structured professional judgement assessment fields, and nursing crisis triage note and safety planning checklist scan images from Spring Health AI at 4,500 or more employer clients and 3 million or more covered members processing C-SSRS and PHQ-9 crisis assessment display images through AI-assisted telehealth crisis triage and safety planning tools; myAvatar AI at Netsmart serving 600 or more psychiatric hospitals and residential treatment facilities processing C-SSRS paper form scan, PHQ-9 response display, and crisis risk stratification display images through AI-assisted inpatient psychiatric crisis triage and safety planning documentation tools; and BrightSpring Health AI at 400 or more behavioral health locations processing crisis risk assessment document scan images through AI-assisted crisis intervention, safety planning, and EMTALA psychiatric emergency stabilisation documentation tools — extracting crisis risk level determinations, involuntary psychiatric hold eligibility assessments, safety planning action triggers, and EMTALA psychiatric emergency stabilisation documentation from crisis and suicide risk assessment document scan image inputs in AI-assisted behavioral health crisis triage pipelines.

The adversarial injection surface is the C-SSRS paper form scan image, PHQ-9 depression screening display image, or crisis risk level indicator display image submission pathway: Spring Health AI, myAvatar AI, or BrightSpring Health AI crisis assessment document scan and display images submitted through AI-assisted crisis triage and safety planning tools for AI risk stratification determination record generation and clinical disposition filing. An adversarially crafted C-SSRS paper form scan image — in which pixel perturbations applied to the clinician-rated ideation intensity field checkbox fill indicators, the behaviour subscale “yes” or “no” response display markers, or the overall risk level determination annotation overlay of the scanned C-SSRS form cause the AI to classify a patient whose clinician-rated C-SSRS indicates active suicidal ideation with intent and plan (C-SSRS score ≥ 4 on the ideation intensity subscale, signalling clinically significant imminent risk) as a patient with passive suicidal ideation without plan or intent (C-SSRS score ≤ 2, signalling low risk) when the actual scanned form evidences a high-severity clinical presentation meeting Joint Commission NPSG 15.01.01 high-risk designation criteria — can suppress a suicide risk indicator that would otherwise generate a safety planning intervention trigger, a crisis stabilisation referral, a psychiatric evaluation request, a voluntary or involuntary psychiatric hold recommendation, or an EMTALA psychiatric emergency stabilisation obligation. In behavioral health settings where Spring Health AI or myAvatar AI processes crisis risk assessment documents through AI-assisted triage without individual licensed clinical reviewer re-assessment of every AI-processed crisis document before the AI risk classification governs safety planning and disposition decisions, adversarial suppression of high-severity crisis indicators creates Joint Commission NPSG 15.01.01 patient safety, EMTALA 42 USC §1395dd psychiatric stabilisation, and CMS Conditions of Participation §482.13 patient rights dimensions with direct patient safety consequences.

The Joint Commission NPSG 15.01.01, EMTALA 42 USC §1395dd, CMS §482.13, and state involuntary commitment statute regulatory consequences of adversarially suppressed crisis risk classification span Joint Commission National Patient Safety Goal NPSG 15.01.01 suicide risk reduction requirements establishing that Joint Commission–accredited behavioral health organisations must screen patients for suicide risk using a validated screening tool, stratify risk, and implement evidence-based interventions and safety planning protocols consistent with the patient’s risk level — adversarial suppression of high-severity C-SSRS or PHQ-9 risk indicators in AI crisis triage tools that causes misclassification of high-risk patients as low-risk creates NPSG 15.01.01 patient safety goal compliance failure dimensions with Joint Commission accreditation action potential; EMTALA 42 USC §1395dd psychiatric emergency screening and stabilisation requirements establishing that EMTALA-covered hospitals must provide appropriate medical screening examinations and stabilising treatment for psychiatric emergency presentations — adversarially corrupted AI crisis risk classifications that suppress EMTALA-triggering psychiatric emergency indicators create EMTALA violation dimensions with civil monetary penalty exposure of up to $119,942 per violation under 42 CFR Part 489 and exclusion from Medicare and Medicaid participation; CMS Conditions of Participation §482.13 patient rights regulations requiring that patients receive care in the least restrictive medically appropriate environment and have access to appropriate psychiatric crisis intervention services — adversarially corrupted crisis AI that suppresses imminent risk indicators preventing appropriate crisis intervention creates patient rights compliance dimensions; state involuntary psychiatric commitment statute requirements including California W&I Code §5150 72-hour hold criteria for patients who are a danger to self or others — adversarially suppressed C-SSRS indicators preventing identification of hold-eligible patients creates state mental health law compliance dimensions; and professional licensing board standards of care applicable to licensed clinicians who rely on AI-assisted crisis risk classification tools. Threshold: 65 for crisis and suicide risk assessment image injection — reflecting Joint Commission NPSG 15.01.01 accreditation compliance, EMTALA 42 USC §1395dd psychiatric emergency stabilisation, CMS §482.13 patient rights, state involuntary commitment statutes, and direct patient safety consequence dimensions.

3. Medication-assisted treatment prescription document injection (DEA 21 CFR Part 1306, FDA REMS)

Medication-assisted treatment prescription AI processes DEA buprenorphine DATA 2000 waiver certificate or MATE Act prescribing authority confirmation display images showing clinician DEA registration number, waiver status confirmation, and approved patient census limit display fields with AI-readable authorisation verification overlays, naltrexone extended-release injectable (Vivitrol) FDA REMS programme prescriber enrolment status confirmation display images, methadone OTP dispensing authorisation and daily dose limit display images showing DEA Schedule II dispensing authorisation, OTP programme certification status, and individual patient dosing record fields, buprenorphine sublingual prescription document scan images showing prescriber DEA waiver number, patient identifier, dosage form, quantity, and days-supply fields, and SAMHSA OTP certification and accreditation status display images from Kipu EHR AI at 1,800 or more addiction treatment centres processing DEA buprenorphine waiver certificate display, methadone dispensing authorisation, and MAT prescription document scan images through AI-assisted MAT compliance verification, DEA controlled substance prescribing authorisation verification, and FDA REMS programme compliance tools; Netsmart CareManager AI at 900 or more healthcare organisations processing DEA waiver status display and OTP dispensing authorisation display images through AI-assisted OTP clinical protocol compliance and SAMHSA certification programme documentation tools; and Qualifacts CareLogic AI at 400 or more community mental health organisations processing MAT prescription authorisation display images through AI-assisted MAT compliance monitoring, prior authorisation documentation, and Medicaid MAT billing compliance tools — extracting DEA prescribing authorisation verifications, FDA REMS enrolment compliance determinations, SAMHSA OTP certification status assessments, and MAT clinical protocol compliance determinations from MAT prescription and DEA waiver display image inputs in AI-assisted substance use disorder treatment compliance pipelines.

The adversarial injection surface is the DEA buprenorphine waiver certificate display image, naltrexone FDA REMS prescriber enrolment confirmation display image, or methadone OTP dispensing authorisation display image submission pathway: Kipu EHR AI, Netsmart CareManager AI, or Qualifacts CareLogic AI MAT prescription and DEA waiver display images submitted through AI-assisted MAT compliance verification and prescribing authorisation tools for AI compliance determination record generation and MAT programme documentation filing. An adversarially crafted DEA buprenorphine waiver certificate display image — in which pixel perturbations applied to the DEA registration number display field, the DATA 2000 or MATE Act waiver authorisation confirmation indicator, the approved patient census limit numerical display, or the authorisation expiration date display cause the AI to classify a clinician without current DEA buprenorphine prescribing authority — whose DATA 2000 waiver has expired, whose DEA registration has been suspended, or who has reached the approved patient census limit for their authorisation tier — as holding current valid DEA buprenorphine prescribing authority meeting Kipu EHR AI MAT compliance requirements when the actual DEA waiver status record indicates no valid prescribing authority — can suppress a prescribing authorisation deficiency indicator that would otherwise generate a DEA compliance alert, a buprenorphine prescription hold, an OTP dosing authorisation block, or an FDA REMS programme non-compliance notification. In MAT programme platforms where Netsmart CareManager AI or Kipu EHR AI processes DEA waiver and FDA REMS display images without individual compliance officer review of every AI-processed authorisation document before the AI determination governs buprenorphine prescription execution and OTP methadone dispensing, adversarial suppression of MAT prescribing authorisation deficiency indicators creates DEA 21 CFR Part 1306 controlled substance prescribing, FDA REMS programme compliance, and SAMHSA OTP certification 42 CFR Part 8 dimensions.

The DEA 21 CFR Part 1306, DATA 2000/MATE Act, FDA REMS, and SAMHSA OTP 42 CFR Part 8 regulatory consequences of adversarially corrupted MAT prescription authorisation classification span DEA 21 CFR Part 1306.04 requirements establishing that Schedule III–V controlled substances including buprenorphine may be prescribed only by practitioners registered with DEA who are authorised to prescribe the substance in the schedule in which it is listed — adversarially corrupted AI MAT prescribing authorisation verification that enables buprenorphine prescription execution by clinicians without current DEA waiver authority creates DEA 21 CFR Part 1306 controlled substance prescribing violation dimensions with DEA registration suspension and criminal liability under 21 USC §842 for distribution or dispensing without registration; DATA 2000 waiver requirements and MATE Act buprenorphine prescribing authority establishing that clinicians must complete required DEA-specified training and obtain DEA authorisation before prescribing buprenorphine products for OUD outside of OTP settings — adversarially fabricated DEA waiver display AI that authorises out-of-waiver buprenorphine prescribing creates federal controlled substance distribution liability; FDA REMS programme requirements for Vivitrol extended-release naltrexone and certain buprenorphine formulations establishing prescriber enrolment, patient counselling, and monitoring requirements as conditions of FDA approval — adversarially corrupted REMS status display AI that creates false positive REMS compliance determinations enables non-enrolled prescribers to obtain REMS-controlled medications; SAMHSA OTP certification requirements under 42 CFR Part 8 establishing that OTP programmes must comply with SAMHSA-approved protocols for methadone and buprenorphine dispensing including patient eligibility assessment, dosing authorisation, and take-home medication privilege criteria — adversarially corrupted methadone dispensing authorisation AI creates SAMHSA OTP 42 CFR Part 8 certification compliance violation dimensions. Threshold: 70 for MAT prescription document injection — reflecting DEA 21 CFR Part 1306 Schedule III prescribing authority, DATA 2000/MATE Act waiver requirements, FDA REMS programme compliance, and SAMHSA OTP 42 CFR Part 8 certification dimensions.

4. Behavioural health court-ordered treatment documentation injection (HIPAA 45 CFR §164.512(e), ADA Title II 42 USC §12132)

Behavioral health court-ordered treatment documentation AI processes court order document scan images displaying judge-signed conditional release terms, treatment programme participation requirements, substance use testing compliance conditions, and reporting period specifications, conditional release compliance monitoring display images showing treatment attendance verification, drug test result summaries, and programme compliance status indicator fields with AI-readable compliance determination overlays, involuntary treatment authorisation document scan images displaying court-signed involuntary commitment orders with diagnostic criteria findings, treatment setting specifications, and maximum commitment period authorisations, mental health diversion programme completion certification display images showing diversion eligibility criteria, programme completion requirements, and criminal case disposition linkage fields, and probation-linked substance abuse treatment monitoring report scan images from myAvatar AI at 600 or more psychiatric hospitals and residential facilities processing court order document scan images through AI-assisted involuntary treatment compliance monitoring and conditional release verification tools; Spring Health AI at 4,500 or more employer clients processing court-ordered Employee Assistance Programme (EAP) treatment compliance documentation and conditional employment agreement compliance monitoring display images through AI-assisted court-mandate and EAP compliance verification tools; and Exym AI at 700 or more community behavioral health providers with California focus processing Welfare and Institutions Code §5150 and §5250 involuntary hold and commitment document scan images, mental health diversion programme compliance display images, and probation-linked substance use treatment monitoring documentation through AI-assisted court-mandate compliance monitoring and DHCS reporting tools — extracting conditional release compliance determinations, involuntary commitment authorisation verifications, diversion programme completion certifications, and probation-linked treatment compliance assessments from court-ordered treatment documentation scan image inputs in AI-assisted behavioral health court-mandate monitoring pipelines.

The adversarial injection surface is the court order document scan image, conditional release compliance monitoring display image, or involuntary treatment authorisation document scan image submission pathway: myAvatar AI, Spring Health AI, or Exym AI court-ordered treatment documentation scan and display images submitted through AI-assisted conditional release compliance monitoring and court-mandate verification tools for AI compliance determination record generation and judicial and probation officer reporting. An adversarially crafted conditional release compliance monitoring display image — in which pixel perturbations applied to the treatment attendance verification status indicator display, the drug test result field compliance status marker, or the programme compliance summary determination field cause the AI to classify a patient who has failed to meet conditional release treatment attendance, drug testing, or programme participation requirements — who would otherwise be subject to conditional release revocation or contempt of court proceedings — as meeting all court-ordered conditional release compliance conditions when the actual treatment attendance and drug test records evidence non-compliance — can suppress a conditional release compliance failure indicator that would otherwise generate a probation officer non-compliance notification, a court-ordered treatment revocation referral, a diversion programme failure report, or a Welfare and Institutions Code §5250 extended commitment evaluation trigger. In court-mandate monitoring programmes where myAvatar AI or Exym AI processes compliance monitoring display images without individual case manager review of every AI-processed compliance record before the AI determination governs judicial reporting, adversarial suppression of non-compliance indicators creates HIPAA 45 CFR §164.512(e) court order exception, ADA Title II 42 USC §12132, Olmstead community integration requirement, and state mental health law compliance dimensions.

The HIPAA 45 CFR §164.512(e), ADA Title II 42 USC §12132, Olmstead v. L.C. 527 US 581, and state mental health law regulatory consequences of adversarially corrupted court-ordered treatment compliance classification span HIPAA 45 CFR §164.512(e) court order exception to the authorisation requirement establishing that covered entities may disclose PHI in response to a court order or court-ordered warrant without patient authorisation — adversarially fabricated or suppressed AI court-mandate compliance determinations that generate erroneous compliance reports to courts and probation officers create HIPAA §164.512(e) court order disclosure accuracy dimensions affecting judicial reliance on AI-generated compliance records; ADA Title II 42 USC §12132 public services non-discrimination requirements and Olmstead v. L.C. 527 US 581 community integration mandate establishing that public entities must administer services in the most integrated setting appropriate to the needs of qualified individuals with disabilities — adversarially corrupted court-ordered treatment placement AI that assigns individuals with behavioral health disabilities to more restrictive settings than clinically indicated, or that fabricates compliance failures triggering unnecessary re-institutionalisation, creates ADA Title II and Olmstead community integration violation dimensions with DOJ enforcement authority; state mental health law due process protections applicable to involuntary commitment and conditional release proceedings — adversarially corrupted AI compliance records filed with courts and probation offices that inaccurately represent patient compliance status affect due process rights in commitment revocation and conditional release continuation proceedings; and CMS Conditions of Participation §482.13 patient rights regulations applicable to court-ordered inpatient psychiatric treatment settings operated by myAvatar AI hospital clients — adversarially corrupted AI court-mandate compliance documentation creates patient rights compliance dimensions. Threshold: 50 for behavioural health court-ordered treatment documentation injection — reflecting HIPAA 45 CFR §164.512(e) court order disclosure accuracy, ADA Title II 42 USC §12132 non-discrimination, Olmstead community integration, and state mental health law due process dimensions.

Integration: behavioral health and SUD AI image ingestion with Glyphward pre-scan

Behavioral health and SUD AI image ingestion flows from Netsmart CareManager AI, Kipu EHR AI, and Qualifacts CareLogic AI SUD intake screening form scan image processing channels, Spring Health AI, myAvatar AI, and BrightSpring Health AI crisis and suicide risk assessment document scan and display image processing interfaces, Kipu EHR AI, Netsmart CareManager AI, and Qualifacts CareLogic AI MAT prescription document and DEA waiver display image processing pipelines, and myAvatar AI, Spring Health AI, and Exym AI court-ordered treatment compliance documentation scan and display image processing platforms into SUD intake severity classification AI, crisis risk stratification and safety planning AI, MAT compliance verification AI, and court-mandate monitoring AI pipelines. Insert Glyphward’s pre-scan at the ingestion boundary before AI-generated output is committed to ASAM level-of-care placement records, crisis safety planning dispositions, DEA controlled substance prescribing authorisation records, or judicial and probation compliance reports:

import asyncio
import base64
import hashlib
import os
import uuid
from enum import Enum
from pathlib import Path

import httpx

GLYPHWARD_API_KEY = os.environ["GLYPHWARD_API_KEY"]
GLYPHWARD_SCAN_URL = "https://glyphward.com/v1/scan"

# Behavioral health & SUD AI — adversarial pixel injection in SUD intake
# screening form images, crisis risk assessment documents, MAT prescription
# displays, and court-ordered treatment records with 42 CFR Part 2, Joint
# Commission NPSG 15.01.01, DEA 21 CFR Part 1306, and HIPAA §164.512(e)
# regulatory consequences.

# 42 CFR Part 2 SUD confidentiality; SAMHSA 42 USC §290bb-2 programme
# certification; HIPAA 45 CFR §164.502(b) minimum necessary; ASAM placement.
THRESHOLD_SUD_INTAKE_SCREENING_AI      = 55

# Joint Commission NPSG 15.01.01 suicide risk; EMTALA 42 USC §1395dd
# psychiatric emergency; CMS §482.13 patient rights; state commitment statutes.
THRESHOLD_CRISIS_RISK_ASSESSMENT_AI    = 65

# DEA 21 CFR Part 1306 controlled substance prescribing; DATA 2000/MATE Act
# buprenorphine authority; FDA REMS Vivitrol/buprenorphine; SAMHSA 42 CFR Part 8.
THRESHOLD_MAT_PRESCRIPTION_AI         = 70

# HIPAA 45 CFR §164.512(e) court order exception; ADA Title II 42 USC §12132;
# Olmstead 527 US 581 community integration; state mental health law due process.
THRESHOLD_COURT_ORDERED_TREATMENT_AI  = 50


class BehavioralHealthSUDAIContext(str, Enum):
    SUD_INTAKE_SCREENING_AI      = "sud_intake_screening_ai"      # Netsmart, Kipu EHR, Qualifacts CareLogic
    CRISIS_RISK_ASSESSMENT_AI    = "crisis_risk_assessment_ai"    # Spring Health, myAvatar, BrightSpring
    MAT_PRESCRIPTION_AI          = "mat_prescription_ai"          # Kipu EHR, Netsmart, Qualifacts CareLogic
    COURT_ORDERED_TREATMENT_AI   = "court_ordered_treatment_ai"   # myAvatar, Spring Health, Exym


def threshold_for(context: BehavioralHealthSUDAIContext) -> int:
    mapping = {
        BehavioralHealthSUDAIContext.SUD_INTAKE_SCREENING_AI:      THRESHOLD_SUD_INTAKE_SCREENING_AI,
        BehavioralHealthSUDAIContext.CRISIS_RISK_ASSESSMENT_AI:    THRESHOLD_CRISIS_RISK_ASSESSMENT_AI,
        BehavioralHealthSUDAIContext.MAT_PRESCRIPTION_AI:          THRESHOLD_MAT_PRESCRIPTION_AI,
        BehavioralHealthSUDAIContext.COURT_ORDERED_TREATMENT_AI:   THRESHOLD_COURT_ORDERED_TREATMENT_AI,
    }
    return mapping[context]


async def scan_behavioral_health_sud_ai_image(
    image_path: str | Path,
    context: BehavioralHealthSUDAIContext,
    patient_entity_hash: str,   # SHA-256 of patient MRN or case number (never plaintext PHI)
    programme_ref: str,         # e.g. "KIPU-OTP-2026-ADM-3812", "EXYM-COURT-2026-CA-5150-0041"
    clinical_session_id: str,   # intake session, crisis triage session, or compliance review ID
    client: httpx.AsyncClient,
) -> dict:
    """
    Scan a behavioral health or SUD AI image for adversarial injection payloads
    before forwarding to SUD intake severity classification, crisis risk
    stratification, MAT compliance verification, or court-mandate monitoring AI.

    Raises AdversarialBehavioralHealthSUDAIImageError if score meets threshold:
      - SUD_INTAKE_SCREENING_AI:      threshold 55; 42 CFR Part 2; SAMHSA §290bb-2
      - CRISIS_RISK_ASSESSMENT_AI:    threshold 65; Joint Commission NPSG 15.01.01
      - MAT_PRESCRIPTION_AI:          threshold 70; DEA 21 CFR Part 1306; FDA REMS
      - COURT_ORDERED_TREATMENT_AI:   threshold 50; HIPAA §164.512(e); ADA Title II
    """
    image_bytes    = Path(image_path).read_bytes()
    image_b64      = base64.b64encode(image_bytes).decode()
    image_sha256   = hashlib.sha256(image_bytes).hexdigest()
    client_scan_id = str(uuid.uuid4())
    threshold      = threshold_for(context)

    resp = await client.post(
        GLYPHWARD_SCAN_URL,
        headers={"Authorization": f"Bearer {GLYPHWARD_API_KEY}"},
        json={
            "image": image_b64,
            "source": context.value,
            "metadata": {
                "bh_sud_context":       context.value,
                "patient_entity_hash":  patient_entity_hash,
                "programme_ref":        programme_ref,
                "clinical_session_id":  clinical_session_id,
                "client_scan_id":       client_scan_id,
                "image_sha256":         image_sha256,
            },
        },
        timeout=8.0,
    )
    resp.raise_for_status()
    result = resp.json()

    audit_record = {
        "patient_entity_hash":  patient_entity_hash,
        "programme_ref":        programme_ref,
        "clinical_session_id":  clinical_session_id,
        "bh_sud_context":       context.value,
        "scan_id":              result["scan_id"],
        "client_scan_id":       client_scan_id,
        "image_sha256":         image_sha256,
        "score":                result["score"],
        "flagged_region":       result.get("flagged_region"),
        "threshold":            threshold,
        "action":               "blocked" if result["score"] >= threshold else "allowed",
    }
    await write_behavioral_health_sud_audit_record(audit_record)

    if result["score"] >= threshold:
        raise AdversarialBehavioralHealthSUDAIImageError(
            f"Behavioral health SUD AI image blocked [{context.value}]: "
            f"scan_id={result['scan_id']} score={result['score']} "
            f"entity={patient_entity_hash} ref={programme_ref}"
        )
    return result


async def write_behavioral_health_sud_audit_record(record: dict) -> None:
    """Persist audit record to behavioral health SUD AI regulatory documentation store (stub)."""
    import json, sys
    print(json.dumps(record), file=sys.stderr)


class AdversarialBehavioralHealthSUDAIImageError(Exception):
    """Raised when a behavioral health SUD AI image exceeds the adversarial injection threshold."""
    pass

Call scan_behavioral_health_sud_ai_image() with BehavioralHealthSUDAIContext.SUD_INTAKE_SCREENING_AI before forwarding Netsmart CareManager AI, Kipu EHR AI, or Qualifacts CareLogic AI AUDIT-C, DAST-10, and ASI scan images to SUD admission severity classification AI — with patient_entity_hash as the SHA-256 of the patient MRN (never plaintext PHI) for 42 CFR Part 2 SUD confidentiality compliance, SAMHSA 42 USC §290bb-2 OTP programme certification, and HIPAA §164.502(b) minimum necessary standard audit trail. Call with BehavioralHealthSUDAIContext.CRISIS_RISK_ASSESSMENT_AI for Spring Health AI, myAvatar AI, or BrightSpring Health AI C-SSRS and PHQ-9 crisis document scan images before crisis risk stratification and safety planning AI — with programme_ref as the crisis triage session identifier for Joint Commission NPSG 15.01.01 suicide risk reduction compliance, EMTALA 42 USC §1395dd psychiatric emergency stabilisation audit trail, and CMS §482.13 patient rights documentation. Call with BehavioralHealthSUDAIContext.MAT_PRESCRIPTION_AI for Kipu EHR AI, Netsmart AI, or Qualifacts CareLogic AI DEA waiver and MAT prescription display images before controlled substance prescribing authorisation AI — for DEA 21 CFR Part 1306 compliance, DATA 2000/MATE Act waiver verification, and FDA REMS programme compliance audit trail. Call with BehavioralHealthSUDAIContext.COURT_ORDERED_TREATMENT_AI for myAvatar AI, Spring Health AI, or Exym AI court order and compliance monitoring display images before court-mandate monitoring AI — for HIPAA 45 CFR §164.512(e) court order disclosure accuracy and ADA Title II 42 USC §12132 non-discrimination compliance. Get early access

Coverage matrix

Related questions

Further reading

• FigStep adversarial image injection detection — technical overview of pixel-level adversarial perturbation attack methodology underlying SUD intake screening form scan injection, C-SSRS crisis risk indicator suppression, and DEA waiver certificate display image corruption.
• Vision-language model security — architectural overview of multimodal AI adversarial injection vulnerability covering the VLM image encoder layers that Spring Health AI, myAvatar AI, and Kipu EHR AI use to process clinical document scan images and assessment display screens.
• Free tier — 10 scans/day, no card required — start scanning behavioral health and SUD AI image inputs at development volumes; test AUDIT-C form scan, C-SSRS crisis risk, and MAT prescription display injection detection without a payment method on file.
• Prompt injection in mental health and digital health AI — related mental health AI injection surface covering digital mental health platform AI with overlapping PHQ-9, crisis triage, and EMTALA psychiatric emergency dimensions.
• Prompt injection in healthcare and radiology AI — related healthcare AI injection surface covering clinical imaging AI with overlapping HIPAA, CMS CoP, and Joint Commission compliance dimensions.
• Prompt injection in government and social services AI — related social services AI injection surface covering court-mandated programme compliance and benefits eligibility AI with overlapping ADA Title II and Olmstead integration dimensions.
• HIPAA-compliant AI security and prompt injection — HIPAA minimum necessary standard, 42 CFR Part 2 overlay, and court order exception compliance requirements for AI systems processing behavioral health and SUD PHI.