Documentation Index
Fetch the complete documentation index at: https://docs.encoreos.io/llms.txt
Use this file to discover all available pages before exploring further.
Version: 1.4.0
Last Updated: 2026-05-13
Status: Active
Module: CE (Community Engagement)
Cross-References:
Overview
This document tracks communications and marketing compliance for the CE module, which manages CRM, campaigns, SMS messaging, call tracking, and community outreach. Key regulations include CAN-SPAM (email), TCPA (SMS/telephony), Arizona call recording law, and FCC telemarketing rules. Where CE handles PHI or SUD-related communications, HIPAA and 42 CFR Part 2 also apply.
1. CAN-SPAM Act (Commercial Email)
| # | Requirement | Responsible Spec | Status | Notes |
|---|
| CS-01 | Accurate header information — From, To, Reply-To must accurately identify sender | CE-09 | ⏳ Not Started | Email template validation; org-level sender configuration |
| CS-02 | Non-deceptive subject lines — Subject must reflect message content | CE-09 | ⏳ Not Started | Campaign review workflow; template approval |
| CS-03 | Advertisement identification — Clearly identify commercial messages as advertisements | CE-09 | ⏳ Not Started | Auto-label commercial campaigns; transactional messages exempt |
| CS-04 | Physical address — Include valid postal address in every commercial email | CE-09 | ⏳ Not Started | Org address auto-inserted in email footer |
| CS-05 | Unsubscribe mechanism — Conspicuous opt-out; honor within 10 business days | CE-09, CE-16 | ⏳ Not Started | CE-09 owns unsubscribe link in emails; CE-16 owns unified suppression registry (ce_suppressions) that records opt-outs and enforces pre-send blocks |
| CS-06 | Opt-out list management — Maintain and honor suppression lists; no sharing | CE-09, CE-16 | ⏳ Not Started | CE-16 centralizes opt-out list management via ce_suppressions (suppress_email=true); CE-09 consumes via pre-send check |
| CS-07 | HIPAA marketing overlay — PHI-based marketing requires patient authorization per 45 CFR 164.508 | CE-09, PF-44 | 📋 Policy | CE campaigns must not use PHI for marketing without authorization |
2. TCPA (SMS and Telephony)
| # | Requirement | Responsible Spec | Status | Notes |
|---|
| TC-01 | Express written consent — Obtain prior express written consent before sending automated SMS | CE-08, CE-16 | 🔜 In Progress | CE-08 EN send gate now enforces local consent/opt-out fallback (shim) before send. CE-16 registry remains canonical target for finalized evidence pipeline. |
| TC-02 | Consent per message type — Separate consent for marketing vs transactional messages | CE-08, CE-16 | 🔜 In Progress | CE-08 EN send gate enforces marketing consent requirement (messageType=marketing) and fail-closed opt-out handling in current slice. |
| TC-03 | STOP keyword opt-out — Honor STOP replies immediately | CE-08, CE-16 | ⏳ Not Started | CE-08 processes inbound STOP webhook; CE-16 records suppression in ce_suppressions (reason=‘stop_keyword’) and blocks future sends |
| TC-04 | Opt-out confirmation — Single confirmation message upon opt-out | CE-08, CE-16 | ⏳ Not Started | CE-08 sends confirmation; CE-16 records consent withdrawal evidence in ce_consent_evidence (action=‘withdrawn’) |
| TC-05 | Business hours — Send messages only during appropriate hours (8am-9pm recipient local time) | CE-08 | 🔜 In Progress | CE-08 EN scheduled execution now applies TCPA 8am-9pm local-time floor and re-queues outside-window sends. |
| TC-06 | Sender identification — Identify organization in every message | CE-08 | 🔜 In Progress | Shared send gate now injects organization identifier prefix in outbound message normalization. |
| TC-07 | 10DLC/A2P registration — Register for A2P 10DLC with carrier to avoid filtering | CE-08 | ⏳ Not Started | Carrier registration required before production SMS |
| TC-08 | No PHI in SMS — Messages must not contain PHI | CE-08, PF-44 | 🔜 In Progress | Send gate and MMS path now warn/block per org PHI mode; MMS UI adds explicit PHI media safeguard warning and server-side MIME/size validation metadata checks. |
3. Arizona Call Recording (ARS 13-3005, HB 2038)
| # | Requirement | Responsible Spec | Status | Notes |
|---|
| CR-01 | One-party consent — Arizona is one-party consent; at least one party must consent to recording | CE-10 (if applicable) | 📋 Policy | Staff making calls are the consenting party |
| CR-02 | Notice requirement (HB 2038, 2024) — Must provide notice to all parties before recording wire/electronic communications | CE-10 | ⏳ Not Started | Auto-play recording notice at call start; log acknowledgment |
| CR-03 | Interstate calls — Two-party consent states may require all-party consent | CE-10 | 📋 Policy | Default to all-party notice for out-of-state calls; policy guidance |
| CR-04 | Recording retention — Store recordings securely; comply with data retention policies | CE-10, IT-05 | ⏳ Not Started | Encrypted storage; retention schedule per policy |
4. FCC Telemarketing Rules
| # | Requirement | Responsible Spec | Status | Notes |
|---|
| FCC-01 | National Do Not Call Registry — Check DNC registry before outbound marketing calls | CE-10, CE-16 | ⏳ Not Started | CE-16 owns DNC registry CSV import and creates suppression records (source=‘dnc_registry’); CE-10 calls pre-send check before dial |
| FCC-02 | Internal Do Not Call list — Maintain and honor organization’s internal DNC list | CE-10, CE-08, CE-16 | ⏳ Not Started | CE-16 owns internal DNC list via ce_suppressions (suppress_phone=true); CE-10/CE-08 consume via suppression check API |
| FCC-03 | Caller ID — Transmit accurate caller ID information | CE-10 | 📋 Operational | Telephony provider configuration |
| FCC-04 | Calling hours — Outbound marketing calls only 8am-9pm recipient local time | CE-10 | ⏳ Not Started | Time zone-aware scheduling |
5. Charitable Solicitation (if applicable)
| # | Requirement | Responsible Spec | Status | Notes |
|---|
| CH-01 | State registration — Register in states where soliciting donations (if applicable) | CE-09 | 📋 Assessment needed | Applicable only if CE module supports fundraising/donation campaigns |
| CH-02 | Disclosure requirements — Disclose registration status and use of funds where required | CE-09 | 📋 Assessment needed | State-specific requirements vary |
6. Lead Conversion & PHI Handling (CE-29)
| # | Requirement | Responsible Spec | Status | Notes |
|---|
| LC-01 | No PHI in event payloads — Conversion events contain IDs only (lead_id, contact_id, org_id) | CE-29 | ✅ Verified | Event payloads in useLeadMutations.ts contain IDs only per CE-01 pattern |
| LC-02 | Sanitized error messages — User-facing errors use sanitizeErrorMessage() | CE-29 | ✅ Verified | onError handler uses sanitizeErrorMessage(error) |
| LC-03 | No PHI in toast notifications — Toast messages use static strings | CE-29 | ✅ Verified | Success/error toasts use hardcoded descriptions |
| LC-04 | INSERT-only audit table — ce_lead_conversions has no UPDATE/DELETE RLS policies; explicit deny policies added | CE-29 | ✅ Verified | RLS: SELECT + INSERT only; explicit UPDATE/DELETE deny policies; immutable for 7-year retention |
| LC-05 | 42 CFR Part 2 — SUD data gating — Conversion payloads must not include SUD screening data without consent verification | CE-29, CE-28 | 📋 Deferred | CE-28 screening UI not yet implemented; conversion payloads carry IDs only (no SUD content). Consent gating required when CE-28 wires screening data into conversion flow. |
| LC-06 | Conversion notes character limit — Notes capped at 500 chars to reduce PHI exposure risk | CE-29 | ✅ Verified | Textarea maxLength={500} with character counter |
7. AI Triage PHI & SUD Compliance (CE-54)
| # | Requirement | Responsible Spec | Status | Notes |
|---|
| AI-01 | No PHI in AI prompts — AI payload uses structured criteria only (insurance type, diagnosis category, demographics bucket); no names, DOBs, SSNs, addresses, or free-text clinical notes | CE-54, PF-27 | 📋 Draft | Constitution §4.3.2; _shared/phi-detection.ts validates payload before transmission |
| AI-02 | SUD consent gating (server-side) — Edge function checks consent_obtained = true AND consent_method IS NOT NULL on ce_screening_attempts before including SUD fields; not bypassable from client | CE-54, CL-11 | 📋 Draft | 42 CFR Part 2 § 2.31; server-side enforcement in ai-triage-evaluate edge function |
| AI-03 | Blocked SUD attempts audit-logged — Blocked SUD processing creates pf_audit_logs entry with timestamp, user_id, screening_attempt_id, action | CE-54 | 📋 Draft | 42 CFR Part 2 § 2.13 |
| AI-04 | PHI detection on AI response — AI response validated by _shared/phi-detection.ts before storage; PHI-detected responses rejected and audit-logged | CE-54 | 📋 Draft | HIPAA Privacy Rule; re-disclosure prevention per § 2.32 |
| AI-05 | Structured output prevents re-disclosure — Tool-calling schema constrains AI output to enumerated fields; no free-text SUD content in stored responses | CE-54 | 📋 Draft | 42 CFR Part 2 § 2.32 |
| AI-06 | Model metadata audit trail — Every AI triage run records model_id, model_version, prompt_version, processing_time_ms, user_id, organization_id | CE-54 | 📋 Draft | HIPAA Security Rule audit controls; Constitution §4.3.7 |
| AI-07 | Permission-gated access — ce.triage.view, ce.triage.run, ce.triage.decide, ce.triage.manage enforced via pf_has_permission() | CE-54, PF-30 | 📋 Draft | HIPAA Security Rule access controls |
| AI-08 | Auth verification — Edge function validates auth via verifyOrgAccess() from _shared/auth.ts; unauthenticated calls return 401 | CE-54 | 📋 Draft | Constitution §4.3; HIPAA Security Rule |
CE-54 Initial Release Compliance Gate (Required Before Phase 1 Build)
- AI-01 through AI-08 are release-blocking controls for the initial CE-54 launch; they are not deferred to follow-up patches.
ai-triage-evaluate must enforce SUD consent gating exactly as specified: consent_obtained = true AND consent_method IS NOT NULL before including SUD-tagged fields in prompts._shared/phi-detection.ts must be wired on both request payload preflight and AI response post-processing; PHI detections must reject processing/storage.- Blocked SUD attempts and PHI rejections must create
pf_audit_logs entries; edge-function auth and authorization must enforce verifyOrgAccess() + pf_has_permission() for all CE-54 triage actions.
- Every AI run must persist model metadata (
model_id, model_version, prompt_version, processing_time_ms, user_id, organization_id) in CE-54 audit/result records.
- CE-54 spec, schema migrations, and RLS policies must include the controls above before release promotion; firm deployment target:
2026-06-30 (SUD-handling compliance gate).
8. Authoritative External References
9. Periodic Review Schedule
| Review | Frequency | Next Due | Owner |
|---|
| CAN-SPAM compliance audit | Quarterly | //____ | Marketing Director |
| TCPA consent mechanism review | Quarterly | //____ | Compliance Officer |
| DNC list synchronization | Monthly | //____ | Marketing Director |
| Call recording notice verification | Quarterly | //____ | Compliance Officer |
| Charitable solicitation assessment | Annually | //____ | Legal Counsel |
| Lead conversion PHI audit | Quarterly | //____ | Compliance Officer |
Version History
1.4.0 (2026-05-13)
- Added CE-08-ENHANCEMENTS partial evidence for EN-01 + EN-02 execution slice:
- shared pre-send compliance gate (local consent/opt-out shim),
- MMS media constraints and PHI media warning,
- scheduled send execution-time consent and TCPA window checks.
- Updated TCPA rows TC-01, TC-02, TC-05, TC-06, and TC-08 to
🔜 In Progress with current slice evidence notes.
1.3.0 (2026-05-12)
- Added Section 7: AI Triage PHI & SUD Compliance (CE-54)
- 8 compliance requirements tracked for AI triage pipeline (PHI in prompts, SUD consent gating, re-disclosure prevention, audit trail)
- Renumbered §8 → §9 (Periodic Review)
1.2.0 (2026-03-30)
- Merged duplicate §6/§7 (external references) and §7/§8 (periodic review) into canonical sections
- Updated LC-04 to reflect explicit deny policies for UPDATE/DELETE
- Renumbered sections for consistency
1.1.0 (2026-03-28)
- Added Section 6: Lead Conversion & PHI Handling (CE-29)
- 6 compliance requirements tracked for conversion pipeline
- PHI audit verified: event payloads, error messages, toasts, audit immutability
1.0.0 (2026-02-27)
- Initial CE communications compliance document
- Covers CAN-SPAM, TCPA (SMS), Arizona call recording (ARS 13-3005, HB 2038), FCC telemarketing, charitable solicitation
- 25+ compliance requirements tracked across 5 categories
Last Updated: 2026-05-13
Next Review: 2026-08-12
