justin/new-site
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
new-site/docs/healthcare-email-compliance-review.md
justin 3325259af7 fix(email): drop @TrackLink from per-subscriber CTAs (404 + collapse bug) 
Listmonk @TrackLink registers ONE static URL per tracked link and points
every recipient's /link/<uuid> redirect at it. On per-subscriber hrefs
({{ lp_link }}, ?dot=, ?npi=, ?clia=) this is doubly broken:
 - the registered links.url was captured before the {{ lp_link }} token
   rendered, yielding /order/slug&utm_source=... (first &, no ?) -> 404
 - even when valid it collapses every carrier/provider onto the first
   subscriber's dot/npi/clia value

Real human clicks are already tracked via Umami campaign-click (bot
filtered), so Listmonk link tracking here is redundant and destructive.

Stripped @TrackLink from per-subscriber CTAs:
 - scripts/create_deficiency_source_campaigns.py (_cta, _dot_check_cta)
 - data/trucking_campaigns/{ucr,ifta}_*.html
 - data/hc_campaigns/*.html (10 templates)

Static CTAs (e.g. CRTC ?code= order link) keep @TrackLink (safe).
Live fix to the 10 broken registered links.url rows applied separately
(first & -> ?), backup in listmonk.pw_links_dkim_fix_bak_20260622.

Docs: new runbook incident section + corrected the disproven
'use @TrackLink on all CTAs' guidance in fmcsa/hc plans.
2026-06-22 17:01:39 -05:00

6.5 KiB
Raw Blame History

Healthcare cold-email compliance review (2026-06-20)

Reviewed all 10 templates in data/hc_campaigns/ after removing prices, fixing click tracking, and de-risking unsubstantiated status claims.

Scope of the pass

  1. Removed all service prices from the emails (price is now revealed on the order page, after value is established). Catalog (api/src/service-catalog.ts) remains the source of truth.
  2. Click tracking — originally appended @TrackLink + UTM to every conversion CTA. SUPERSEDED (Jun 22 2026): @TrackLink must NOT be used on per-provider hrefs (?npi=/?clia=/{{ lp_link }}) — Listmonk registers one static URL per tracked link, which 404s and collapses every provider onto one NPI. @TrackLink removed from all HC templates; per-provider links render directly and human clicks are tracked via Umami campaign-click. See runbook "Jun 22 2026 — @TrackLink on per-subscriber CTAs."
  3. Reframed unsubstantiated per-record status assertions to honest, hedged, generally-true statements (defamation / FTC-deception risk).
  4. This compliance review.

Compliance posture — item by item

CAN-SPAM (US) — PASS

  • Physical postal address present in every footer (Performance West Inc., 525 Randall Ave Ste 100-1195, Cheyenne, WY 82001). ✓
  • Unsubscribe present in every template + List-Unsubscribe / List-Unsubscribe-Post one-click headers set by the build script. ✓
  • No deceptive subject lines — subjects are hedged ("may be out of date", "appears deactivated", "Are you screening for…"). ✓
  • Accurate From / Reply-ToFROM_EMAIL / REPLY_TO real, monitored. ✓

Truth-in-advertising / FTC deception — FIXED

The biggest risk was asserting a specific provider's record status as fact when we don't actually measure it. Addressed:

Template Was Now
nppes_outdated "record … appears out of date", header "Outdated registry information detected", row "FLAGGED OUT OF DATE", footnote "Staleness flagged by our compliance monitoring" General true statement ("most practices drift out of date over time"), header "NPPES Data Check / keep your record current & attested", row "PERIODIC REVIEW REQUIRED", footnote cites the real CMS periodic-attestation requirement
npi_reactivation header "Deactivated enrollment detected", body "flagged … as deactivated" header "Provider Enrollment Check", body "may be deactivated … worth confirming on the official sources"

Why this matters: the nppes_outdated audience selector (institutional_verified) only checks deliverability, never staleness — and the harvested data has no NPPES last-updated field, so a per-record "out of date / FLAGGED" claim was literally unsubstantiated for every recipient. Now the copy is true for everyone (CMS does require periodic NPPES attestation) and still invites them to self-verify.

Substantiated claims that were KEPT (verified backed by data)

  • revalidation_overdue "is past due / PAST DUE · N days overdue" — OK: the reval_overdue selector requires reval_status == "overdue" AND a real overdue day count derived from the public CMS Revalidation Due Date List. The email also links the provider to that exact government list to self-verify. Legitimate.
  • revalidation_due_soon "deadline is coming up" — backed by reval_status == "upcoming" from the same CMS list. ✓
  • OIG "civil monetary penalties up to $20,000 per claim" — this is a real OIG penalty figure (kept; it is a regulatory fact, not a price). ✓

Government-affiliation / impersonation — PASS

  • Every template carries the disclaimer "Performance West is an independent compliance firm, not affiliated with CMS / Medicare / OIG / SAM.gov."
  • "Official record · CMS Medicare Revalidation Due Date List" refers to the CMS public dataset we cite (and link to), not a claim that we are CMS. The "Don't take our word for it — check the official CMS record" framing reinforces that we are pointing them AT the government source, not posing as it. ✓
  • No CMS/HHS logos, seals, or government-lookalike sender identity. ✓

"No-login / done-for-you" claims — PASS (already vetted)

  • Matches the verified capability map in docs/healthcare-no-login-value-add.md and docs/healthcare-filing-tiers-verified.md. The one honesty caveat (the provider must personally sign the 855; we cannot sign for them) is respected: copy says "the only thing we may need is a one-minute e-signature," never claims we sign on their behalf. ✓

Guarantee / absolute-language scan — ACCEPTABLE

Scanner flagged guarantee / never / 100% / will not. Reviewed in context — all benign and substantiable:

  • "100% satisfaction guarantee" + "we'll make it right" — standard puffery / service promise, paired with "fixed pricing, no billable hours." Acceptable.
  • "You never share your password / you will not pay billable hours" — factual descriptions of how the service works, not outcome guarantees. ✓
  • No claims guaranteeing a CMS approval/outcome (which WOULD be a problem). ✓

Trust/credibility badges — VERIFY (flag for owner)

Footers assert "SOC 2 Type II hosting · HIPAA & PCI compliant · 256-bit TLS." These are factual compliance claims and must be literally true:

  • ⚠️ Action for Justin: confirm we can substantiate SOC 2 Type II + HIPAA + PCI (or soften to "encrypted, secure Stripe payments" if any is aspirational). False compliance badges are an FTC and contractual risk. Not changed in this pass — needs owner confirmation.

HTML / deliverability QA — PASS

  • All 10 templates render with 0 JS errors headless, each has exactly one per-provider /order/... CTA (direct link, @TrackLink removed Jun 22 2026 — see item 2), and no price leaks (only the $20,000 OIG penalty stat remains, intentionally).
  • External self-verify links (oig.hhs.gov, sam.gov, npiregistry, data.cms.gov) left untracked on purpose (they're trust links, not conversions).

Outstanding (not blocking, recommended next)

  1. Confirm SOC 2 / HIPAA / PCI badge claims are literally true (above).
  2. OIG $79/mo & NPPES $349 pricing flagged as high/hard in docs/healthcare-competitive-pricing.md — consider a one-time OIG entry option and a lower NPPES anchor. (Pricing strategy, separate from compliance.)
  3. Add the free /tools/npi-compliance-check as a soft secondary CTA / lead magnet so non-buyers are captured and nurtured (funnel, separate effort).