justin/new-site
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
new-site/docs/healthcare-email-compliance-review.md
justin 3325259af7 fix(email): drop @TrackLink from per-subscriber CTAs (404 + collapse bug) 
Listmonk @TrackLink registers ONE static URL per tracked link and points
every recipient's /link/<uuid> redirect at it. On per-subscriber hrefs
({{ lp_link }}, ?dot=, ?npi=, ?clia=) this is doubly broken:
 - the registered links.url was captured before the {{ lp_link }} token
   rendered, yielding /order/slug&utm_source=... (first &, no ?) -> 404
 - even when valid it collapses every carrier/provider onto the first
   subscriber's dot/npi/clia value

Real human clicks are already tracked via Umami campaign-click (bot
filtered), so Listmonk link tracking here is redundant and destructive.

Stripped @TrackLink from per-subscriber CTAs:
 - scripts/create_deficiency_source_campaigns.py (_cta, _dot_check_cta)
 - data/trucking_campaigns/{ucr,ifta}_*.html
 - data/hc_campaigns/*.html (10 templates)

Static CTAs (e.g. CRTC ?code= order link) keep @TrackLink (safe).
Live fix to the 10 broken registered links.url rows applied separately
(first & -> ?), backup in listmonk.pw_links_dkim_fix_bak_20260622.

Docs: new runbook incident section + corrected the disproven
'use @TrackLink on all CTAs' guidance in fmcsa/hc plans.
2026-06-22 17:01:39 -05:00

104 lines
6.5 KiB
Markdown
Raw Blame History

# Healthcare cold-email compliance review (2026-06-20)
Reviewed all 10 templates in `data/hc_campaigns/` after removing prices, fixing
click tracking, and de-risking unsubstantiated status claims.
## Scope of the pass
1. **Removed all service prices** from the emails (price is now revealed on the
order page, after value is established). Catalog (`api/src/service-catalog.ts`)
remains the source of truth.
2. **Click tracking** — originally appended `@TrackLink` + UTM to every conversion
CTA. **SUPERSEDED (Jun 22 2026):** `@TrackLink` must NOT be used on per-provider
hrefs (`?npi=`/`?clia=`/`{{ lp_link }}`) — Listmonk registers one static URL per
tracked link, which 404s and collapses every provider onto one NPI. `@TrackLink`
removed from all HC templates; per-provider links render directly and human clicks
are tracked via Umami `campaign-click`. See runbook "Jun 22 2026 — @TrackLink on
per-subscriber CTAs."
3. **Reframed unsubstantiated per-record status assertions** to honest, hedged,
generally-true statements (defamation / FTC-deception risk).
4. This compliance review.
## Compliance posture — item by item
### CAN-SPAM (US) — PASS
- **Physical postal address** present in every footer (Performance West Inc., 525
Randall Ave Ste 100-1195, Cheyenne, WY 82001). ✓
- **Unsubscribe** present in every template + `List-Unsubscribe` /
`List-Unsubscribe-Post` one-click headers set by the build script. ✓
- **No deceptive subject lines** — subjects are hedged ("may be out of date",
"appears deactivated", "Are you screening for…"). ✓
- **Accurate From / Reply-To** — `FROM_EMAIL` / `REPLY_TO` real, monitored. ✓
### Truth-in-advertising / FTC deception — FIXED
The biggest risk was **asserting a specific provider's record status as fact when
we don't actually measure it**. Addressed:
| Template | Was | Now |
|---|---|---|
| `nppes_outdated` | "record … appears **out of date**", header "Outdated registry information **detected**", row "**FLAGGED OUT OF DATE**", footnote "Staleness **flagged by our compliance monitoring**" | General true statement ("most practices drift out of date over time"), header "NPPES Data Check / keep your record current & attested", row "**PERIODIC REVIEW REQUIRED**", footnote cites the real CMS periodic-attestation requirement |
| `npi_reactivation` | header "Deactivated enrollment **detected**", body "**flagged** … as deactivated" | header "Provider Enrollment Check", body "**may be** deactivated … worth confirming on the official sources" |
**Why this matters:** the `nppes_outdated` audience selector (`institutional_verified`)
only checks **deliverability**, never staleness — and the harvested data has **no
NPPES last-updated field**, so a per-record "out of date / FLAGGED" claim was
literally unsubstantiated for every recipient. Now the copy is true for everyone
(CMS does require periodic NPPES attestation) and still invites them to self-verify.
### Substantiated claims that were KEPT (verified backed by data)
- `revalidation_overdue` "**is past due** / PAST DUE · N days overdue" — **OK**: the
`reval_overdue` selector requires `reval_status == "overdue"` AND a real overdue
day count derived from the **public CMS Revalidation Due Date List**. The email
also links the provider to that exact government list to self-verify. Legitimate.
- `revalidation_due_soon` "deadline is coming up" — backed by `reval_status ==
"upcoming"` from the same CMS list. ✓
- OIG "**civil monetary penalties up to $20,000 per claim**" — this is a real OIG
penalty figure (kept; it is a regulatory fact, not a price). ✓
### Government-affiliation / impersonation — PASS
- Every template carries the disclaimer **"Performance West is an independent
compliance firm, not affiliated with CMS / Medicare / OIG / SAM.gov."** ✓
- "Official record · CMS Medicare Revalidation Due Date List" refers to the **CMS
public dataset we cite** (and link to), not a claim that we are CMS. The
"Don't take our word for it — check the official CMS record" framing reinforces
that we are pointing them AT the government source, not posing as it. ✓
- No CMS/HHS logos, seals, or government-lookalike sender identity. ✓
### "No-login / done-for-you" claims — PASS (already vetted)
- Matches the verified capability map in `docs/healthcare-no-login-value-add.md`
and `docs/healthcare-filing-tiers-verified.md`. The one honesty caveat (the
provider must personally **sign** the 855; we cannot sign for them) is respected:
copy says "the only thing we may need is a one-minute e-signature," never claims
we sign on their behalf. ✓
### Guarantee / absolute-language scan — ACCEPTABLE
Scanner flagged `guarantee / never / 100% / will not`. Reviewed in context — all
benign and substantiable:
- "**100% satisfaction guarantee**" + "we'll make it right" — standard puffery /
service promise, paired with "fixed pricing, no billable hours." Acceptable.
- "You **never** share your password / you **will not** pay billable hours" —
factual descriptions of how the service works, not outcome guarantees. ✓
- No claims guaranteeing a CMS approval/outcome (which WOULD be a problem). ✓
### Trust/credibility badges — VERIFY (flag for owner)
Footers assert **"SOC 2 Type II hosting · HIPAA & PCI compliant · 256-bit TLS."**
These are factual compliance claims and must be **literally true**:
- ⚠️ **Action for Justin:** confirm we can substantiate SOC 2 Type II + HIPAA + PCI
(or soften to "encrypted, secure Stripe payments" if any is aspirational). False
compliance badges are an FTC and contractual risk. Not changed in this pass —
needs owner confirmation.
## HTML / deliverability QA — PASS
- All 10 templates render with **0 JS errors** headless, each has **exactly one
per-provider `/order/...` CTA** (direct link, `@TrackLink` removed Jun 22 2026 —
see item 2), and **no price leaks** (only the $20,000 OIG penalty stat remains,
intentionally).
- External self-verify links (oig.hhs.gov, sam.gov, npiregistry, data.cms.gov) left
**untracked** on purpose (they're trust links, not conversions).
## Outstanding (not blocking, recommended next)
1. **Confirm SOC 2 / HIPAA / PCI badge claims** are literally true (above).
2. **OIG $79/mo & NPPES $349 pricing** flagged as high/hard in
`docs/healthcare-competitive-pricing.md` — consider a one-time OIG entry option
and a lower NPPES anchor. (Pricing strategy, separate from compliance.)
3. **Add the free `/tools/npi-compliance-check`** as a soft secondary CTA / lead
magnet so non-buyers are captured and nurtured (funnel, separate effort).
Reference in a new issue View git blame Copy permalink