justin/new-site
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
new-site/docs/healthcare-email-compliance-review.md
justin d8e3e40dda healthcare emails: remove prices, fix click tracking, de-risk claims 
Diagnosing zero healthcare sales (11k sent, 5479 opens, 0 clicks, 0 orders).
Root cause of clicks=0: Listmonk only registers a link for tracking when the
href ends with the literal @TrackLink marker; all 10 hc templates lacked it
(trucking/CRTC have it). So the entire funnel was unmeasurable below 'open'.

Changes:
- Click tracking: append @TrackLink + UTM to every /order/ CTA across all 10
  templates (external gov self-verify links left untracked on purpose).
- Remove all service prices from emails (99/49/49/99yr/9mo). Price is
  now revealed on the order page after value is established; catalog
  (api/src/service-catalog.ts) stays source of truth. Kept the 0,000 OIG
  penalty stat (regulatory fact, not our price). Added a neutral 'flat fee shown
  up front' reassurance block where the fee table used to be.
- Compliance/honesty: the nppes_outdated email asserted a per-record
  'FLAGGED OUT OF DATE / detected' status, but its selector only checks
  deliverability and the data has no NPPES last-updated field -> unsubstantiated
  for every recipient. Reframed to a generally-true periodic-attestation message
  ('PERIODIC REVIEW REQUIRED', 'most practices drift out of date'). Same hedging
  applied to npi_reactivation ('may be deactivated ... confirm on official
  sources'). Substantiated reval 'past due' claims (backed by the public CMS
  Revalidation list) were kept.
- Fixed stale $299 OIG metadata in build script -> $79/mo (reference only).

Docs: docs/healthcare-competitive-pricing.md (benchmark research) and
docs/healthcare-email-compliance-review.md (CAN-SPAM / FTC / impersonation pass;
flags SOC2/HIPAA/PCI badge claims for owner confirmation).

Verified headless: all 10 render with 0 JS errors, exactly 1 tracked CTA each,
no price leaks.
2026-06-20 09:37:02 -05:00

6.1 KiB
Raw Blame History

Healthcare cold-email compliance review (2026-06-20)

Reviewed all 10 templates in data/hc_campaigns/ after removing prices, fixing click tracking, and de-risking unsubstantiated status claims.

Scope of the pass

  1. Removed all service prices from the emails (price is now revealed on the order page, after value is established). Catalog (api/src/service-catalog.ts) remains the source of truth.
  2. Fixed click tracking — appended @TrackLink + UTM to every conversion CTA (root cause of clicks=0; Listmonk only registers links with that marker).
  3. Reframed unsubstantiated per-record status assertions to honest, hedged, generally-true statements (defamation / FTC-deception risk).
  4. This compliance review.

Compliance posture — item by item

CAN-SPAM (US) — PASS

  • Physical postal address present in every footer (Performance West Inc., 525 Randall Ave Ste 100-1195, Cheyenne, WY 82001). ✓
  • Unsubscribe present in every template + List-Unsubscribe / List-Unsubscribe-Post one-click headers set by the build script. ✓
  • No deceptive subject lines — subjects are hedged ("may be out of date", "appears deactivated", "Are you screening for…"). ✓
  • Accurate From / Reply-ToFROM_EMAIL / REPLY_TO real, monitored. ✓

Truth-in-advertising / FTC deception — FIXED

The biggest risk was asserting a specific provider's record status as fact when we don't actually measure it. Addressed:

Template Was Now
nppes_outdated "record … appears out of date", header "Outdated registry information detected", row "FLAGGED OUT OF DATE", footnote "Staleness flagged by our compliance monitoring" General true statement ("most practices drift out of date over time"), header "NPPES Data Check / keep your record current & attested", row "PERIODIC REVIEW REQUIRED", footnote cites the real CMS periodic-attestation requirement
npi_reactivation header "Deactivated enrollment detected", body "flagged … as deactivated" header "Provider Enrollment Check", body "may be deactivated … worth confirming on the official sources"

Why this matters: the nppes_outdated audience selector (institutional_verified) only checks deliverability, never staleness — and the harvested data has no NPPES last-updated field, so a per-record "out of date / FLAGGED" claim was literally unsubstantiated for every recipient. Now the copy is true for everyone (CMS does require periodic NPPES attestation) and still invites them to self-verify.

Substantiated claims that were KEPT (verified backed by data)

  • revalidation_overdue "is past due / PAST DUE · N days overdue" — OK: the reval_overdue selector requires reval_status == "overdue" AND a real overdue day count derived from the public CMS Revalidation Due Date List. The email also links the provider to that exact government list to self-verify. Legitimate.
  • revalidation_due_soon "deadline is coming up" — backed by reval_status == "upcoming" from the same CMS list. ✓
  • OIG "civil monetary penalties up to $20,000 per claim" — this is a real OIG penalty figure (kept; it is a regulatory fact, not a price). ✓

Government-affiliation / impersonation — PASS

  • Every template carries the disclaimer "Performance West is an independent compliance firm, not affiliated with CMS / Medicare / OIG / SAM.gov."
  • "Official record · CMS Medicare Revalidation Due Date List" refers to the CMS public dataset we cite (and link to), not a claim that we are CMS. The "Don't take our word for it — check the official CMS record" framing reinforces that we are pointing them AT the government source, not posing as it. ✓
  • No CMS/HHS logos, seals, or government-lookalike sender identity. ✓

"No-login / done-for-you" claims — PASS (already vetted)

  • Matches the verified capability map in docs/healthcare-no-login-value-add.md and docs/healthcare-filing-tiers-verified.md. The one honesty caveat (the provider must personally sign the 855; we cannot sign for them) is respected: copy says "the only thing we may need is a one-minute e-signature," never claims we sign on their behalf. ✓

Guarantee / absolute-language scan — ACCEPTABLE

Scanner flagged guarantee / never / 100% / will not. Reviewed in context — all benign and substantiable:

  • "100% satisfaction guarantee" + "we'll make it right" — standard puffery / service promise, paired with "fixed pricing, no billable hours." Acceptable.
  • "You never share your password / you will not pay billable hours" — factual descriptions of how the service works, not outcome guarantees. ✓
  • No claims guaranteeing a CMS approval/outcome (which WOULD be a problem). ✓

Trust/credibility badges — VERIFY (flag for owner)

Footers assert "SOC 2 Type II hosting · HIPAA & PCI compliant · 256-bit TLS." These are factual compliance claims and must be literally true:

  • ⚠️ Action for Justin: confirm we can substantiate SOC 2 Type II + HIPAA + PCI (or soften to "encrypted, secure Stripe payments" if any is aspirational). False compliance badges are an FTC and contractual risk. Not changed in this pass — needs owner confirmation.

HTML / deliverability QA — PASS

  • All 10 templates render with 0 JS errors headless, each has exactly one tracked /order/...@TrackLink CTA, and no price leaks (only the $20,000 OIG penalty stat remains, intentionally).
  • External self-verify links (oig.hhs.gov, sam.gov, npiregistry, data.cms.gov) left untracked on purpose (they're trust links, not conversions).

Outstanding (not blocking, recommended next)

  1. Confirm SOC 2 / HIPAA / PCI badge claims are literally true (above).
  2. OIG $79/mo & NPPES $349 pricing flagged as high/hard in docs/healthcare-competitive-pricing.md — consider a one-time OIG entry option and a lower NPPES anchor. (Pricing strategy, separate from compliance.)
  3. Add the free /tools/npi-compliance-check as a soft secondary CTA / lead magnet so non-buyers are captured and nurtured (funnel, separate effort).