> ## Documentation Index > Fetch the complete documentation index at: https://docs.encoreos.io/llms.txt > Use this file to discover all available pages before exploring further. # CE Communications Compliance Tracking > Version: 1.4.0 Last Updated: 2026-05-13 Status: Active Module: CE (Community Engagement) **Version:** 1.4.0 **Last Updated:** 2026-05-13 **Status:** Active **Module:** CE (Community Engagement) > **Cross-References:** > > * [REGULATORY\_COMPLIANCE\_TRACKER.md](REGULATORY_COMPLIANCE_TRACKER.md) — Master compliance tracker > * [FCRA\_TCPA\_COMPLIANCE\_TRACKING.md](FCRA_TCPA_COMPLIANCE_TRACKING.md) — HR TCPA tracking (SMS consent patterns applicable to CE) > * [AGENTS.md](../../AGENTS.md) § Authoritative External References *** ## Overview This document tracks communications and marketing compliance for the CE module, which manages CRM, campaigns, SMS messaging, call tracking, and community outreach. Key regulations include CAN-SPAM (email), TCPA (SMS/telephony), Arizona call recording law, and FCC telemarketing rules. Where CE handles PHI or SUD-related communications, HIPAA and 42 CFR Part 2 also apply. *** ## 1. CAN-SPAM Act (Commercial Email) | # | Requirement | Responsible Spec | Status | Notes | | ----- | --------------------------------------------------------------------------------------------------- | ---------------- | ------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------- | | CS-01 | **Accurate header information** — From, To, Reply-To must accurately identify sender | CE-09 | ⏳ Not Started | Email template validation; org-level sender configuration | | CS-02 | **Non-deceptive subject lines** — Subject must reflect message content | CE-09 | ⏳ Not Started | Campaign review workflow; template approval | | CS-03 | **Advertisement identification** — Clearly identify commercial messages as advertisements | CE-09 | ⏳ Not Started | Auto-label commercial campaigns; transactional messages exempt | | CS-04 | **Physical address** — Include valid postal address in every commercial email | CE-09 | ⏳ Not Started | Org address auto-inserted in email footer | | CS-05 | **Unsubscribe mechanism** — Conspicuous opt-out; honor within 10 business days | CE-09, **CE-16** | ⏳ Not Started | CE-09 owns unsubscribe link in emails; CE-16 owns unified suppression registry (`ce_suppressions`) that records opt-outs and enforces pre-send blocks | | CS-06 | **Opt-out list management** — Maintain and honor suppression lists; no sharing | CE-09, **CE-16** | ⏳ Not Started | CE-16 centralizes opt-out list management via `ce_suppressions` (suppress\_email=true); CE-09 consumes via pre-send check | | CS-07 | **HIPAA marketing overlay** — PHI-based marketing requires patient authorization per 45 CFR 164.508 | CE-09, PF-44 | 📋 Policy | CE campaigns must not use PHI for marketing without authorization | *** ## 2. TCPA (SMS and Telephony) | # | Requirement | Responsible Spec | Status | Notes | | ----- | ----------------------------------------------------------------------------------------------- | ---------------- | -------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------- | | TC-01 | **Express written consent** — Obtain prior express written consent before sending automated SMS | CE-08, **CE-16** | 🔜 In Progress | CE-08 EN send gate now enforces local consent/opt-out fallback (shim) before send. CE-16 registry remains canonical target for finalized evidence pipeline. | | TC-02 | **Consent per message type** — Separate consent for marketing vs transactional messages | CE-08, **CE-16** | 🔜 In Progress | CE-08 EN send gate enforces marketing consent requirement (`messageType=marketing`) and fail-closed opt-out handling in current slice. | | TC-03 | **STOP keyword opt-out** — Honor STOP replies immediately | CE-08, **CE-16** | ⏳ Not Started | CE-08 processes inbound STOP webhook; CE-16 records suppression in `ce_suppressions` (reason='stop\_keyword') and blocks future sends | | TC-04 | **Opt-out confirmation** — Single confirmation message upon opt-out | CE-08, **CE-16** | ⏳ Not Started | CE-08 sends confirmation; CE-16 records consent withdrawal evidence in `ce_consent_evidence` (action='withdrawn') | | TC-05 | **Business hours** — Send messages only during appropriate hours (8am-9pm recipient local time) | CE-08 | 🔜 In Progress | CE-08 EN scheduled execution now applies TCPA 8am-9pm local-time floor and re-queues outside-window sends. | | TC-06 | **Sender identification** — Identify organization in every message | CE-08 | 🔜 In Progress | Shared send gate now injects organization identifier prefix in outbound message normalization. | | TC-07 | **10DLC/A2P registration** — Register for A2P 10DLC with carrier to avoid filtering | CE-08 | ⏳ Not Started | Carrier registration required before production SMS | | TC-08 | **No PHI in SMS** — Messages must not contain PHI | CE-08, PF-44 | 🔜 In Progress | Send gate and MMS path now warn/block per org PHI mode; MMS UI adds explicit PHI media safeguard warning and server-side MIME/size validation metadata checks. | *** ## 3. Arizona Call Recording (ARS 13-3005, HB 2038) | # | Requirement | Responsible Spec | Status | Notes | | ----- | --------------------------------------------------------------------------------------------------------------------------- | --------------------- | ------------- | ------------------------------------------------------------------- | | CR-01 | **One-party consent** — Arizona is one-party consent; at least one party must consent to recording | CE-10 (if applicable) | 📋 Policy | Staff making calls are the consenting party | | CR-02 | **Notice requirement (HB 2038, 2024)** — Must provide notice to all parties before recording wire/electronic communications | CE-10 | ⏳ Not Started | Auto-play recording notice at call start; log acknowledgment | | CR-03 | **Interstate calls** — Two-party consent states may require all-party consent | CE-10 | 📋 Policy | Default to all-party notice for out-of-state calls; policy guidance | | CR-04 | **Recording retention** — Store recordings securely; comply with data retention policies | CE-10, IT-05 | ⏳ Not Started | Encrypted storage; retention schedule per policy | *** ## 4. FCC Telemarketing Rules | # | Requirement | Responsible Spec | Status | Notes | | ------ | -------------------------------------------------------------------------------------- | ----------------------- | -------------- | ----------------------------------------------------------------------------------------------------------------------------------- | | FCC-01 | **National Do Not Call Registry** — Check DNC registry before outbound marketing calls | CE-10, **CE-16** | ⏳ Not Started | CE-16 owns DNC registry CSV import and creates suppression records (source='dnc\_registry'); CE-10 calls pre-send check before dial | | FCC-02 | **Internal Do Not Call list** — Maintain and honor organization's internal DNC list | CE-10, CE-08, **CE-16** | ⏳ Not Started | CE-16 owns internal DNC list via `ce_suppressions` (suppress\_phone=true); CE-10/CE-08 consume via suppression check API | | FCC-03 | **Caller ID** — Transmit accurate caller ID information | CE-10 | 📋 Operational | Telephony provider configuration | | FCC-04 | **Calling hours** — Outbound marketing calls only 8am-9pm recipient local time | CE-10 | ⏳ Not Started | Time zone-aware scheduling | *** ## 5. Charitable Solicitation (if applicable) | # | Requirement | Responsible Spec | Status | Notes | | ----- | ------------------------------------------------------------------------------------------ | ---------------- | -------------------- | -------------------------------------------------------------------- | | CH-01 | **State registration** — Register in states where soliciting donations (if applicable) | CE-09 | 📋 Assessment needed | Applicable only if CE module supports fundraising/donation campaigns | | CH-02 | **Disclosure requirements** — Disclose registration status and use of funds where required | CE-09 | 📋 Assessment needed | State-specific requirements vary | *** ## 6. Lead Conversion & PHI Handling (CE-29) | # | Requirement | Responsible Spec | Status | Notes | | ----- | -------------------------------------------------------------------------------------------------------------------------- | ---------------- | ----------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | LC-01 | **No PHI in event payloads** — Conversion events contain IDs only (lead\_id, contact\_id, org\_id) | CE-29 | ✅ Verified | Event payloads in `useLeadMutations.ts` contain IDs only per CE-01 pattern | | LC-02 | **Sanitized error messages** — User-facing errors use `sanitizeErrorMessage()` | CE-29 | ✅ Verified | `onError` handler uses `sanitizeErrorMessage(error)` | | LC-03 | **No PHI in toast notifications** — Toast messages use static strings | CE-29 | ✅ Verified | Success/error toasts use hardcoded descriptions | | LC-04 | **INSERT-only audit table** — `ce_lead_conversions` has no UPDATE/DELETE RLS policies; explicit deny policies added | CE-29 | ✅ Verified | RLS: SELECT + INSERT only; explicit UPDATE/DELETE deny policies; immutable for 7-year retention | | LC-05 | **42 CFR Part 2 — SUD data gating** — Conversion payloads must not include SUD screening data without consent verification | CE-29, CE-28 | 📋 Deferred | CE-28 screening UI not yet implemented; conversion payloads carry IDs only (no SUD content). Consent gating required when CE-28 wires screening data into conversion flow. | | LC-06 | **Conversion notes character limit** — Notes capped at 500 chars to reduce PHI exposure risk | CE-29 | ✅ Verified | `Textarea maxLength={500}` with character counter | *** ## 7. AI Triage PHI & SUD Compliance (CE-54) | # | Requirement | Responsible Spec | Status | Notes | | ----- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | -------- | ------------------------------------------------------------------------------------- | | AI-01 | **No PHI in AI prompts** — AI payload uses structured criteria only (insurance type, diagnosis category, demographics bucket); no names, DOBs, SSNs, addresses, or free-text clinical notes | CE-54, PF-27 | 📋 Draft | Constitution §4.3.2; `_shared/phi-detection.ts` validates payload before transmission | | AI-02 | **SUD consent gating (server-side)** — Edge function checks `consent_obtained = true AND consent_method IS NOT NULL` on `ce_screening_attempts` before including SUD fields; not bypassable from client | CE-54, CL-11 | 📋 Draft | 42 CFR Part 2 § 2.31; server-side enforcement in `ai-triage-evaluate` edge function | | AI-03 | **Blocked SUD attempts audit-logged** — Blocked SUD processing creates `pf_audit_logs` entry with timestamp, user\_id, screening\_attempt\_id, action | CE-54 | 📋 Draft | 42 CFR Part 2 § 2.13 | | AI-04 | **PHI detection on AI response** — AI response validated by `_shared/phi-detection.ts` before storage; PHI-detected responses rejected and audit-logged | CE-54 | 📋 Draft | HIPAA Privacy Rule; re-disclosure prevention per § 2.32 | | AI-05 | **Structured output prevents re-disclosure** — Tool-calling schema constrains AI output to enumerated fields; no free-text SUD content in stored responses | CE-54 | 📋 Draft | 42 CFR Part 2 § 2.32 | | AI-06 | **Model metadata audit trail** — Every AI triage run records model\_id, model\_version, prompt\_version, processing\_time\_ms, user\_id, organization\_id | CE-54 | 📋 Draft | HIPAA Security Rule audit controls; Constitution §4.3.7 | | AI-07 | **Permission-gated access** — `ce.triage.view`, `ce.triage.run`, `ce.triage.decide`, `ce.triage.manage` enforced via `pf_has_permission()` | CE-54, PF-30 | 📋 Draft | HIPAA Security Rule access controls | | AI-08 | **Auth verification** — Edge function validates auth via `verifyOrgAccess()` from `_shared/auth.ts`; unauthenticated calls return 401 | CE-54 | 📋 Draft | Constitution §4.3; HIPAA Security Rule | ### CE-54 Initial Release Compliance Gate (Required Before Phase 1 Build) * AI-01 through AI-08 are release-blocking controls for the initial CE-54 launch; they are not deferred to follow-up patches. * `ai-triage-evaluate` must enforce SUD consent gating exactly as specified: `consent_obtained = true AND consent_method IS NOT NULL` before including SUD-tagged fields in prompts. * `_shared/phi-detection.ts` must be wired on both request payload preflight and AI response post-processing; PHI detections must reject processing/storage. * Blocked SUD attempts and PHI rejections must create `pf_audit_logs` entries; edge-function auth and authorization must enforce `verifyOrgAccess()` + `pf_has_permission()` for all CE-54 triage actions. * Every AI run must persist model metadata (`model_id`, `model_version`, `prompt_version`, `processing_time_ms`, `user_id`, `organization_id`) in CE-54 audit/result records. * CE-54 spec, schema migrations, and RLS policies must include the controls above before release promotion; **firm deployment target:** `2026-06-30` (SUD-handling compliance gate). *** ## 8. Authoritative External References | Source | URL | Used By | | ------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------- | | FTC: CAN-SPAM Act Compliance Guide | [https://www.ftc.gov/business-guidance/resources/can-spam-act-compliance-guide-business](https://www.ftc.gov/business-guidance/resources/can-spam-act-compliance-guide-business) | CE-09 | | FCC: TCPA Rules and Consent | [https://www.fcc.gov/document/rules-and-regulations-implementing-telephone-consumer-protection-act-22](https://www.fcc.gov/document/rules-and-regulations-implementing-telephone-consumer-protection-act-22) | CE-08 | | FCC: National Do Not Call Registry | [https://www.donotcall.gov/](https://www.donotcall.gov/) | CE-10 | | Arizona ARS 13-3005 (Wiretapping/Recording) | [https://www.azleg.gov/ars/13/03005.htm](https://www.azleg.gov/ars/13/03005.htm) | CE-10 | | Arizona HB 2038 (2024 recording notice amendment) | [https://www.azleg.gov/legtext/56leg/2r/bills/hb2038h.pdf](https://www.azleg.gov/legtext/56leg/2r/bills/hb2038h.pdf) | CE-10 | | HIPAA Marketing Authorization (45 CFR 164.508) | [https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/marketing/index.html](https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/marketing/index.html) | CE-09 | *** ## 9. Periodic Review Schedule | Review | Frequency | Next Due | Owner | | ---------------------------------- | --------- | ------------------ | ------------------ | | CAN-SPAM compliance audit | Quarterly | ****/****/\_\_\_\_ | Marketing Director | | TCPA consent mechanism review | Quarterly | ****/****/\_\_\_\_ | Compliance Officer | | DNC list synchronization | Monthly | ****/****/\_\_\_\_ | Marketing Director | | Call recording notice verification | Quarterly | ****/****/\_\_\_\_ | Compliance Officer | | Charitable solicitation assessment | Annually | ****/****/\_\_\_\_ | Legal Counsel | | Lead conversion PHI audit | Quarterly | ****/****/\_\_\_\_ | Compliance Officer | *** ## Version History ### 1.4.0 (2026-05-13) * Added CE-08-ENHANCEMENTS partial evidence for EN-01 + EN-02 execution slice: * shared pre-send compliance gate (local consent/opt-out shim), * MMS media constraints and PHI media warning, * scheduled send execution-time consent and TCPA window checks. * Updated TCPA rows TC-01, TC-02, TC-05, TC-06, and TC-08 to `🔜 In Progress` with current slice evidence notes. ### 1.3.0 (2026-05-12) * Added Section 7: AI Triage PHI & SUD Compliance (CE-54) * 8 compliance requirements tracked for AI triage pipeline (PHI in prompts, SUD consent gating, re-disclosure prevention, audit trail) * Renumbered §8 → §9 (Periodic Review) ### 1.2.0 (2026-03-30) * Merged duplicate §6/§7 (external references) and §7/§8 (periodic review) into canonical sections * Updated LC-04 to reflect explicit deny policies for UPDATE/DELETE * Renumbered sections for consistency ### 1.1.0 (2026-03-28) * Added Section 6: Lead Conversion & PHI Handling (CE-29) * 6 compliance requirements tracked for conversion pipeline * PHI audit verified: event payloads, error messages, toasts, audit immutability ### 1.0.0 (2026-02-27) * Initial CE communications compliance document * Covers CAN-SPAM, TCPA (SMS), Arizona call recording (ARS 13-3005, HB 2038), FCC telemarketing, charitable solicitation * 25+ compliance requirements tracked across 5 categories *** **Last Updated:** 2026-05-13 **Next Review:** 2026-08-12