# Healthcare cold-email compliance review (2026-06-20) Reviewed all 10 templates in `data/hc_campaigns/` after removing prices, fixing click tracking, and de-risking unsubstantiated status claims. ## Scope of the pass 1. **Removed all service prices** from the emails (price is now revealed on the order page, after value is established). Catalog (`api/src/service-catalog.ts`) remains the source of truth. 2. **Click tracking** — originally appended `@TrackLink` + UTM to every conversion CTA. **SUPERSEDED (Jun 22 2026):** `@TrackLink` must NOT be used on per-provider hrefs (`?npi=`/`?clia=`/`{{ lp_link }}`) — Listmonk registers one static URL per tracked link, which 404s and collapses every provider onto one NPI. `@TrackLink` removed from all HC templates; per-provider links render directly and human clicks are tracked via Umami `campaign-click`. See runbook "Jun 22 2026 — @TrackLink on per-subscriber CTAs." 3. **Reframed unsubstantiated per-record status assertions** to honest, hedged, generally-true statements (defamation / FTC-deception risk). 4. This compliance review. ## Compliance posture — item by item ### CAN-SPAM (US) — PASS - **Physical postal address** present in every footer (Performance West Inc., 525 Randall Ave Ste 100-1195, Cheyenne, WY 82001). ✓ - **Unsubscribe** present in every template + `List-Unsubscribe` / `List-Unsubscribe-Post` one-click headers set by the build script. ✓ - **No deceptive subject lines** — subjects are hedged ("may be out of date", "appears deactivated", "Are you screening for…"). ✓ - **Accurate From / Reply-To** — `FROM_EMAIL` / `REPLY_TO` real, monitored. ✓ ### Truth-in-advertising / FTC deception — FIXED The biggest risk was **asserting a specific provider's record status as fact when we don't actually measure it**. Addressed: | Template | Was | Now | |---|---|---| | `nppes_outdated` | "record … appears **out of date**", header "Outdated registry information **detected**", row "**FLAGGED OUT OF DATE**", footnote "Staleness **flagged by our compliance monitoring**" | General true statement ("most practices drift out of date over time"), header "NPPES Data Check / keep your record current & attested", row "**PERIODIC REVIEW REQUIRED**", footnote cites the real CMS periodic-attestation requirement | | `npi_reactivation` | header "Deactivated enrollment **detected**", body "**flagged** … as deactivated" | header "Provider Enrollment Check", body "**may be** deactivated … worth confirming on the official sources" | **Why this matters:** the `nppes_outdated` audience selector (`institutional_verified`) only checks **deliverability**, never staleness — and the harvested data has **no NPPES last-updated field**, so a per-record "out of date / FLAGGED" claim was literally unsubstantiated for every recipient. Now the copy is true for everyone (CMS does require periodic NPPES attestation) and still invites them to self-verify. ### Substantiated claims that were KEPT (verified backed by data) - `revalidation_overdue` "**is past due** / PAST DUE · N days overdue" — **OK**: the `reval_overdue` selector requires `reval_status == "overdue"` AND a real overdue day count derived from the **public CMS Revalidation Due Date List**. The email also links the provider to that exact government list to self-verify. Legitimate. - `revalidation_due_soon` "deadline is coming up" — backed by `reval_status == "upcoming"` from the same CMS list. ✓ - OIG "**civil monetary penalties up to $20,000 per claim**" — this is a real OIG penalty figure (kept; it is a regulatory fact, not a price). ✓ ### Government-affiliation / impersonation — PASS - Every template carries the disclaimer **"Performance West is an independent compliance firm, not affiliated with CMS / Medicare / OIG / SAM.gov."** ✓ - "Official record · CMS Medicare Revalidation Due Date List" refers to the **CMS public dataset we cite** (and link to), not a claim that we are CMS. The "Don't take our word for it — check the official CMS record" framing reinforces that we are pointing them AT the government source, not posing as it. ✓ - No CMS/HHS logos, seals, or government-lookalike sender identity. ✓ ### "No-login / done-for-you" claims — PASS (already vetted) - Matches the verified capability map in `docs/healthcare-no-login-value-add.md` and `docs/healthcare-filing-tiers-verified.md`. The one honesty caveat (the provider must personally **sign** the 855; we cannot sign for them) is respected: copy says "the only thing we may need is a one-minute e-signature," never claims we sign on their behalf. ✓ ### Guarantee / absolute-language scan — ACCEPTABLE Scanner flagged `guarantee / never / 100% / will not`. Reviewed in context — all benign and substantiable: - "**100% satisfaction guarantee**" + "we'll make it right" — standard puffery / service promise, paired with "fixed pricing, no billable hours." Acceptable. - "You **never** share your password / you **will not** pay billable hours" — factual descriptions of how the service works, not outcome guarantees. ✓ - No claims guaranteeing a CMS approval/outcome (which WOULD be a problem). ✓ ### Trust/credibility badges — VERIFY (flag for owner) Footers assert **"SOC 2 Type II hosting · HIPAA & PCI compliant · 256-bit TLS."** These are factual compliance claims and must be **literally true**: - ⚠️ **Action for Justin:** confirm we can substantiate SOC 2 Type II + HIPAA + PCI (or soften to "encrypted, secure Stripe payments" if any is aspirational). False compliance badges are an FTC and contractual risk. Not changed in this pass — needs owner confirmation. ## HTML / deliverability QA — PASS - All 10 templates render with **0 JS errors** headless, each has **exactly one per-provider `/order/...` CTA** (direct link, `@TrackLink` removed Jun 22 2026 — see item 2), and **no price leaks** (only the $20,000 OIG penalty stat remains, intentionally). - External self-verify links (oig.hhs.gov, sam.gov, npiregistry, data.cms.gov) left **untracked** on purpose (they're trust links, not conversions). ## Outstanding (not blocking, recommended next) 1. **Confirm SOC 2 / HIPAA / PCI badge claims** are literally true (above). 2. **OIG $79/mo & NPPES $349 pricing** flagged as high/hard in `docs/healthcare-competitive-pricing.md` — consider a one-time OIG entry option and a lower NPPES anchor. (Pricing strategy, separate from compliance.) 3. **Add the free `/tools/npi-compliance-check`** as a soft secondary CTA / lead magnet so non-buyers are captured and nurtured (funnel, separate effort).