Skip to main content
    Trust and procurement

    Due diligence should describe the real product—not an imagined enterprise platform.

    Review current Community Acquired Finance capabilities, scoped-review items, services not offered, privacy boundaries, and procurement questions.

    AreaAvailable nowRequires scoped reviewNot offered
    Product accessPublic responsive web experience; no participant account required.Dedicated campaign path, custom branding, or organization-specific materials.Eligibility files, HRIS/payroll connections, EHR access, or claims ingestion.
    Data handlingFixed-choice answers stay in the browser tab; consent-gated analytics use fixed identifiers.A written data-flow review for any requested customization or measurement change.PHI, member IDs, employee files, plan documents, diagnoses, unrestricted notes, or uploaded records.
    Professional scopeGeneral financial and healthcare-cost education, preparation, and official-source handoffs.Organization-specific legal, compliance, clinical, benefits, and communications approval.Medical, legal, tax, investment, fiduciary, brokerage, coverage, enrollment, or eligibility decisions.
    Security and privacyData-minimized public product, documented privacy terms, correction channel, and bounded analytics.Security questionnaire, incident contacts, retention terms, subprocessors, and business-associate analysis.A HIPAA, SOC 2, HITRUST, or other certification claim unless independently completed and documented.
    Accessibility and contentKeyboard, mobile, automated accessibility, source, freshness, and route checks are part of release gates.Organization accessibility criteria, VPAT request, translation, reading-level, and participant testing needs.A blanket conformance guarantee for every assistive technology, language, or future page.
    Support and servicePublic correction and contact channels; scoped launch orientation and findings review.Named owners, service hours, response targets, escalation path, and change-control terms.24/7 clinical concierge, benefits administration, case management, or emergency support.

    Current public capability

    Responsive public education, live calculators and guided tools, fixed-choice program planning, local-only participant workflows where stated, source and freshness controls, consent-gated fixed-ID analytics, and public correction and contact routes.

    No implied certification or enterprise readiness

    CAF does not represent HIPAA, SOC 2, HITRUST, BAA, SSO, account provisioning, participant reporting, 24/7 support, or integration readiness unless separately completed, reviewed, and documented.

    Review standards—not certification claims

    Reviews are informed by organizational health literacy, plain language, accessibility, privacy risk management, and the actual HIPAA covered-entity or business-associate relationship. These references guide review and do not create a conformance or certification claim.

    Contact boundary: Do not send PHI, employee or member records, plan documents, names, IDs, diagnoses, medications, claims, case-specific details, or other sensitive information. Begin with organization type, broad audience, decision moment, timeline, and accountable owner.