Methodology

How we research.

D3rx ships into Google’s Your-Money-or-Your-Life category. Healthcare-compliance content is held to the strictest accuracy, sourcing, and trust standards on the web — and rightly so. Practices are deciding whether to adopt a privacy policy, how to respond to an OCR investigation, and whether their billing posture will hold up under a Medicare audit. The wrong answer costs real money.

This page publishes the positive half of the editorial discipline — the source hierarchy, the citation standard, the restraint principles, what we don’t do, and the reviewer model the corpus runs on. /editorial-standards publishes the negative half: the roster of phrases the build-time scanner refuses to let ship.

Section 01

Source hierarchy.

Every guide is grounded in a primary source where one exists. The ranked list below is the order of authority D3rx defers to — higher-rank sources override lower-rank sources when the two disagree, and a guide that depends on a low-rank source for a load-bearing claim either gets pulled back to what the regulator actually published or does not ship.

  1. 01eCFR

    The Electronic Code of Federal Regulations is the authoritative published text of every federal regulation. When a guide cites 45 CFR 164.308(a)(1)(ii)(A) or 42 CFR Part 2, the eCFR URL at ecfr.gov is the primary source. Statutory text controls; D3rx commentary does not.

  2. 02HHS guidance

    The U.S. Department of Health & Human Services publishes the official guidance documents that interpret HIPAA, the HITECH Act, and Information Blocking. HHS guidance carries policy weight short of regulation and is the second-rank source D3rx defaults to when a regulation needs operational gloss.

  3. 03OCR enforcement letters and resolution agreements

    The HHS Office for Civil Rights enforces HIPAA. Published resolution agreements, civil money penalty notices, and the OCR breach portal are the empirical record of what HHS actually treats as a violation. Guides cite the underlying resolution agreement, not third-party summaries of it.

  4. 04CMS MLN Matters and program manuals

    Medicare Learning Network articles and the CMS Internet-Only Manuals are the operational sources for Medicare coverage, billing, NCCI edits, MUE values, place-of-service rules, and enrollment policy. NCCI Policy Manual chapters are cited directly when a guide hinges on a specific edit.

  5. 05NIST Special Publications

    NIST SP 800-66 (HIPAA Security Rule implementation), SP 800-30 (risk assessment), and SP 800-53 (security controls catalog) are the technical references the Security Rule's risk-analysis requirement implicitly anchors to. The SRA corpus cites these as the controls-mapping foundation.

  6. 06State regulator publications

    State attorney general guidance, state Department of Health bulletins, and named state statutes (CMIA, BIPA, MHMDA, SHIELD, TX HB 300, 201 CMR 17.00, CTDPA, CPA, FIPA) govern the state-overlay layer above HIPAA's federal floor. Each state page on D3rx links the AG and DOH home pages and cites the named statute by citation.

  7. 07Industry bodies (AMA, AAPC)

    AMA CPT and AAPC coding references are cited where the question is one of coding convention rather than regulation — modifier sequencing, E/M leveling history, place-of-service nuance. Industry guidance is never used to override a regulator source.

Section 02

Citation standards.

Guides cite primary sources where they exist, and otherwise visibly disclose that no external citations are on file. The structural Sources block at the bottom of every detail page renders explicit frontmatter sources where the author declared them, and otherwise auto-extracts citation-grade URLs from the body — .gov, .mil, and known state-regulator hosts.

The auto-extraction runs at render time on the server. Markdown links, HTML anchors, and bare URLs are all scanned. A guide with zero qualifying citations in body and no explicit sources renders the visible “no external citations on file” placeholder rather than a blank Sources block — the “cite or visibly acknowledge” rule. Crawlers and humans always see something to scan.

Compliance, SRA, glossary, regulations, and states pages render a visible last-reviewed date pinned to the frontmatter; billing guides render a visible last-updated date. Regulations pages additionally render an accessed_iso verification date on the primary .gov citation block at the top of the page.

Section 03

Restraint principles.

The full forbidden-claims roster lives at /editorial-standards — every phrase the build-time scanner refuses to let ship, paired with the one-sentence rationale per phrase. The principles below are the editorial commitments behind that roster.

  1. 01We cite the regulator, not the consultant.

    A guide may quote a consulting firm's white paper for color, but the controlling citation has to be eCFR, HHS, OCR, CMS, or NIST. If the only available source is a vendor blog, the guide either pulls back to what the regulator actually published or does not ship.

  2. 02We refuse the certification frame.

    HHS and OCR do not certify software, vendors, or compliance programs. D3rx does not stamp practices as compliant, ready, certified, or audit-proof. The forbidden-claims roster at /editorial-standards lists every formulation we will not use and why.

  3. 03We name what we cannot verify.

    When a guide depends on a payer-specific contract, a state-bar opinion D3rx has not read, or a regulator-issued letter we cannot link to, the guide says so explicitly rather than asserting the underlying claim as fact.

  4. 04We date every page.

    Every detail page renders a visible review or update date pinned to its frontmatter. Compliance, SRA, glossary, regulations, and states pages render last-reviewed; billing guides render last-updated. Pages that drift past the review interval are queued for re-verification, not silently retired.

Section 04

What we don’t do.

The four lines below are the perimeter D3rx will not cross. If a question requires one of these, the right answer is to engage counsel, the regulator, or the payer directly — not to read another guide.

Section 05

Reviewer model.

Current state. Articles are drafted by an LLM (Anthropic Claude) against the primary sources listed above, then edited for restraint and source fidelity by the D3rx team before publication. Every page renders an “Authored by D3rx” block at the bottom that discloses this process honestly.

Planned state. D3rx is engaging a named credentialed reviewer — a CHC, a CHPC, or a healthcare attorney — to verify citations on the compliance corpus as part of future review passes. Until that engagement is active, no page makes a credentialed-review claim and no schema.org reviewedBy attestation is emitted. The reviewer registry at src/lib/team/reviewers.ts is gated by an active: true flag — until a signed engagement is on file, the live site does not make a claim it cannot back.

How to see the named reviewer when active. The /team page is the public source of truth. When a credentialed reviewer is engaged, their name, credentials, and verifiable sameAs URLs (LinkedIn, state-bar, NPI registry, HCCA) appear there and on every guide reviewed by them. Until then, the page surfaces the placeholder transparently rather than inventing a name.

Take it into the workspace

The workspace runs on the same discipline.

The Security Risk Analysis and SRA Binder Studio assemble the same .gov-grounded artifacts every guide cites — policies, BAAs, training logs, risk-analysis evidence, breach-clock playbooks — and store them against the primary sources they came from. The same forbidden-claims scanner runs over every binder export.