Skip to main content
Cross-References:

Overview

This document tracks communications and marketing compliance for the CE module, which manages CRM, campaigns, SMS messaging, call tracking, and community outreach. Key regulations include CAN-SPAM (email), TCPA (SMS/telephony), Arizona call recording law, and FCC telemarketing rules. Where CE handles PHI or SUD-related communications, HIPAA and 42 CFR Part 2 also apply.

1. CAN-SPAM Act (Commercial Email)


2. TCPA (SMS and Telephony)


3. Arizona Call Recording (ARS 13-3005, HB 2038)


4. FCC Telemarketing Rules


5. Charitable Solicitation (if applicable)


6. Lead Conversion & PHI Handling (CE-29)


7. AI Triage PHI & SUD Compliance (CE-54)

CE-54 Initial Release Compliance Gate (Required Before Phase 1 Build)

  • AI-01 through AI-08 are release-blocking controls for the initial CE-54 launch; they are not deferred to follow-up patches.
  • ai-triage-evaluate must enforce SUD consent gating exactly as specified: consent_obtained = true AND consent_method IS NOT NULL before including SUD-tagged fields in prompts.
  • _shared/phi-detection.ts must be wired on both request payload preflight and AI response post-processing; PHI detections must reject processing/storage.
  • Blocked SUD attempts and PHI rejections must create pf_audit_logs entries; edge-function auth and authorization must enforce verifyOrgAccess() + pf_has_permission() for all CE-54 triage actions.
  • Every AI run must persist model metadata (model_id, model_version, prompt_version, processing_time_ms, user_id, organization_id) in CE-54 audit/result records.
  • CE-54 spec, schema migrations, and RLS policies must include the controls above before release promotion; firm deployment target: 2026-06-30 (SUD-handling compliance gate).

8. Authoritative External References


9. Periodic Review Schedule


Version History

1.4.0 (2026-05-13)

  • Added CE-08-ENHANCEMENTS partial evidence for EN-01 + EN-02 execution slice:
    • shared pre-send compliance gate (local consent/opt-out shim),
    • MMS media constraints and PHI media warning,
    • scheduled send execution-time consent and TCPA window checks.
  • Updated TCPA rows TC-01, TC-02, TC-05, TC-06, and TC-08 to 🔜 In Progress with current slice evidence notes.

1.3.0 (2026-05-12)

  • Added Section 7: AI Triage PHI & SUD Compliance (CE-54)
  • 8 compliance requirements tracked for AI triage pipeline (PHI in prompts, SUD consent gating, re-disclosure prevention, audit trail)
  • Renumbered §8 → §9 (Periodic Review)

1.2.0 (2026-03-30)

  • Merged duplicate §6/§7 (external references) and §7/§8 (periodic review) into canonical sections
  • Updated LC-04 to reflect explicit deny policies for UPDATE/DELETE
  • Renumbered sections for consistency

1.1.0 (2026-03-28)

  • Added Section 6: Lead Conversion & PHI Handling (CE-29)
  • 6 compliance requirements tracked for conversion pipeline
  • PHI audit verified: event payloads, error messages, toasts, audit immutability

1.0.0 (2026-02-27)

  • Initial CE communications compliance document
  • Covers CAN-SPAM, TCPA (SMS), Arizona call recording (ARS 13-3005, HB 2038), FCC telemarketing, charitable solicitation
  • 25+ compliance requirements tracked across 5 categories

Last Updated: 2026-05-13 Next Review: 2026-08-12