What d3rx will not say.
Healthcare-compliance content sits inside Google’s Your-Money-or-Your-Life category — the topic class subjected to the strictest accuracy and trust standards. Most of the market overclaims here: implied certifications, blanket guarantees, attorney-approved stamps, and absolutes that no party in this market is empowered to issue. D3rx writes the rules of restraint down, enforces them as a hard CI gate, and publishes them as policy on this page.
The list below is the canonical roster — generated at build time from the same source files the scanner reads. On every scanner-wired surface (guide content loaders, SRA report generation, AI-rendered prose, exported binders), a single forbidden phrase becomes a hard failure before it can ship.
The forbidden phrases.
24 phrases, alphabetical. Every formulation below is rejected by the scanner on the surfaces it is wired into — guide content loaders, SRA report generation, AI-rendered prose blocks, frontmatter, and report exports. Each entry pairs the literal phrase with the one-sentence reason we refuse it.
Examples of what we do NOT say
—100% compliant
A numeric absolute on an unauditable judgment is marketing puffery, not a fact. It also invites UDAP and FTC scrutiny under false-advertising rules.
—100% secure
Security is a posture against a moving threat model. No system on the open internet earns the absolute, and asserting it is the canonical example of a claim that ages badly.
—attorney approved
Same defect as the lawyer-approved formulation. Stating it without naming the attorney, the engagement, and the scope of review is misleading.
—attorney-approved
Same defect as the lawyer-approved formulation. Stating it without naming the attorney, the engagement, and the scope of review is misleading.
—audit proof
Suggests immunity from a federal enforcement process no vendor can guarantee. The word also misleads about what documentation can and cannot do.
—audit-proof
Hyphenated form of the same overclaim. Documentation supports defense; it does not confer immunity.
—complete compliance program by itself
A compliance program is a set of human commitments — policies adopted by leadership, training delivered to workforce, sanctions issued by management. No software constitutes that program by itself.
—eliminates compliance risk
Risk is reduced, transferred, accepted, or mitigated. It is not eliminated by software, and saying otherwise misrepresents the discipline.
—fully compliant
Same defect as the numeric version, slightly softer language. A practice is responsible for its program; software organizes evidence, it does not finalize judgment.
—guaranteed compliant
Compliance is a continuous obligation of the covered entity. No vendor — software or human — can guarantee an outcome they do not control.
—HHS certified
HHS does not certify software, vendors, or compliance programs. The phrase invents an endorsement that does not exist.
—HIPAA certified
HHS and OCR do not endorse or recognize private HIPAA certifications, and do not certify persons or products as HIPAA compliant. Asserting otherwise mischaracterizes the federal program.
—HIPAA-certified
HHS and OCR do not endorse or recognize private HIPAA certifications, and do not certify persons or products as HIPAA compliant. Asserting otherwise mischaracterizes the federal program.
—HIPAA-ready
There is no published readiness threshold a vendor can clear and stamp. The word smuggles in a verdict no regulator issues.
—indemnifies
Indemnity is a signed-contract allocation of liability between specific parties — not a marketing claim and not a page-level promise.
—indemnify
Indemnity is a signed-contract allocation of liability between specific parties — not a marketing claim and not a page-level promise.
—indemnifying
Indemnity is a signed-contract allocation of liability between specific parties — not a marketing claim and not a page-level promise.
—lawyer approved
Implies attorney review of work product we did not have a lawyer review. We do not staff in-house counsel; we will not pretend otherwise on a label.
—lawyer-approved
Implies attorney review of work product we did not have a lawyer review. We do not staff in-house counsel; we will not pretend otherwise on a label.
—never get audited
Audits are initiated by the regulator, not by us. We cannot influence that probability and will not pretend to.
—now compliant
Implies a binary state change a vendor cannot effect. Compliance is a posture maintained by the practice, not a status software switches on.
—OCR approved
The HHS Office for Civil Rights enforces the rules; it does not pre-approve vendors or work product against them.
—pass your audit
Promises an outcome controlled by the auditor and the practice's actual posture, not by us. We assist with documentation; we do not adjudicate audits.
—replaces counsel
We are not a law firm and will not stand between a practice and its lawyers. Counsel reviews the program; software organizes the artifacts counsel reviews.
What we say instead.
Restraint is not silence. Every forbidden formulation has a serviceable replacement that says the true, narrower thing. The pairing table below is the editorial drop-in vocabulary used across the corpus.
100% compliantdocumentation aid for the practice's compliance program
100% securedescribes the security controls we operate against; security is a posture, not a verdict
attorney approvedthe practice's counsel should review work product before reliance
attorney-approvedthe practice's counsel should review work product before reliance
audit proofdocumentation aid intended to support an audit response — the auditor and the practice's posture determine the outcome
audit-proofdescribed in scope, with the underlying source cited
complete compliance program by itselfone administrative tool inside a larger program owned by the practice
eliminates compliance riskhelps the practice identify, document, and track compliance risk
fully compliantsupports the practice's compliance posture
guaranteed complianthelps the practice maintain its own compliance program
HHS certifiedcites HHS guidance directly
HIPAA certifiedsupports a HIPAA compliance program
HIPAA-certifiedsupports a HIPAA compliance program
HIPAA-readyorganizes the documentation a HIPAA program produces
indemnifieswe describe scope, limits, and responsibilities — we do not transfer legal liability
indemnifywe describe scope, limits, and responsibilities — we do not transfer legal liability
indemnifyingwe describe scope, limits, and responsibilities — we do not transfer legal liability
lawyer approvedthe practice's counsel should review work product before reliance
lawyer-approvedthe practice's counsel should review work product before reliance
never get auditedaudits are initiated by regulators; we do not influence that probability
now compliantdocumentation generated as of this date
OCR approvedreferences published OCR enforcement actions and guidance
pass your auditorganize the artifacts an auditor typically requests
replaces counselcomplements — does not substitute for — review by qualified counsel
How we enforce it.
The roster above is a hard gate on the surfaces it is wired into, not an aspiration. Every guide body and every frontmatter string is run through a scanner at load time. SRA report payloads are scanned before they reach the user. A single forbidden phrase on any of those surfaces becomes a failure — the load throws, the report request rejects, the test suite refuses to pass. Writer agents dropping new files into our content directories cannot ship past the gate without staying inside the restraint vocabulary.
The canonical sources of truth live at:
src/lib/compliance-guides/forbidden-claims.tssrc/lib/compliance-sra/claims.ts
The scanner does negation-aware lookback so the canonical disclaimer — “does not certify compliance, does not provide legal advice, does not replace counsel, does not guarantee an audit outcome” — coexists with the forbidden roster. Negators in a previous sentence do not suppress a downstream claim. Double-negation reads as positive assertion. Cross-clause negators (those scoping a different clause via a coordinating conjunction) do not rescue the claim either.
export function assertNoForbiddenComplianceClaims(
text: string,
slug: string,
): void {
const normalized = text.toLowerCase();
for (const claim of FORBIDDEN_COMPLIANCE_CLAIMS) {
const needle = claim.toLowerCase();
let cursor = 0;
while (cursor <= normalized.length) {
const idx = normalized.indexOf(needle, cursor);
if (idx === -1) break;
if (!isInsideNegation(normalized, idx)) {
throw new Error(
`Forbidden compliance claim detected in ${slug}: ${claim}`,
);
}
cursor = idx + needle.length;
}
}
}Our sourcing standard.
Government sources first. Always. We cite the actual rule, the actual federal manual, the actual enforcement record. Industry associations are admitted only when no governmental source covers the question — and the article tags the citation accordingly.
HHS / OCR
Statutory authority and enforcement history for HIPAA Privacy, Security, and Breach Notification Rules.
CMS
Coverage, billing, modifier, NCCI, MUE, and payment-policy rules — including Medicare Claims Processing Manual citations.
eCFR
The current consolidated regulatory text, cited by section.
NIST
Security control frameworks — primarily SP 800-66 (HIPAA Security Rule mapping) and SP 800-53/171 where referenced.
State regulators
State medical boards, state attorneys general, and state breach-notification statutes when a state overlay applies.
Industry sources
AMA, AAPC, and specialty societies only when no governmental source exists. Tagged in the article.
What we are not.
Restraint requires saying what the product is not, in plain language, in the same place a buyer reads what the product is.
Not a law firm.
D3rx does not provide legal advice and is not a substitute for counsel.
Not an accreditor.
We do not accredit practices, vendors, training programs, or compliance officers.
Not a certifier.
HHS and OCR do not endorse or recognize private HIPAA certifications, and do not certify persons or products as HIPAA compliant. We do not issue badges, seals, or pass/fail verdicts that imply otherwise.
Not your compliance officer.
The named compliance officer at the practice is responsible for adopting, maintaining, and exercising the program. Software is one tool inside that program.
Not a security testing service.
We do not perform penetration testing, vulnerability scanning, or phishing simulation. We describe a posture; we do not test or improve it.
What we are.
A documentation aid, a research aid, and a workspace for the everyday clinical and financial questions a small medical practice deals with.
See how these rules render in the product: start a free workspace, or open the Learning Library.
This page is the editorial policy itself. The rules here are the standard we hold every guide, every help article, and every workspace prose output to — enforced in code on the scanner-wired surfaces, and applied by editorial review everywhere else. If a published surface ever drifts from this discipline, the discrepancy is a defect — write to [email protected] and we will correct it.