EasyVOB: Claude as the compliance watchdog, not the verification engine
A live HIPAA-focused VOB service. Claude's verified role: compliance watchdog, not the verification loop.
easyvob.com ↗## the problem
Behavioral health admissions teams lose patients while they wait on insurance verification. A VOB, verification of benefits, means someone calls a payer or digs through a portal to confirm eligibility, deductibles, and out-of-pocket maximums before a patient can be admitted. I work in this space through my agency, and the VOB step is where intake stalls.
EasyVOB is the productized answer: providers submit patient details through a secure form, a HIPAA-trained team verifies eligibility and coverage, and the provider gets a benefits breakdown back. Per the live site, that breakdown covers active or inactive status plus in-network and out-of-network deductible and out-of-pocket max remaining, and the service is built for behavioral health, detox, outpatient, and mental health workflows.
Here is the honest catch for this build log: the interesting part of EasyVOB is not AI. Patient data is involved, so the verification loop is human by design. Claude's verifiable role here sits around the property, not inside it: compliance tooling, stack audits, and keeping a HIPAA-adjacent site from doing something stupid like leaking lead data to ad pixels.
## what I built
A public-facing service business with two halves. The marketing side is WordPress on Hostinger: Elementor with a Lexend child theme, All in One SEO, Contact Form 7, WooCommerce, and the LeadConnector plugin that ties the site into my HighLevel CRM stack. It includes a public pricing page with six credit-based tiers, from a one-time single credit up through monthly plans and a custom enterprise option.
The working side is a separate custom PHP portal, the Credits Dashboard, living at easyvob.com/verification-dashboard with its own login, sitting outside WordPress entirely. Customers buy credits, submit VOB requests through the dashboard, and get the benefits breakdown back there. Per the site, the verification itself is done manually by a HIPAA-trained team, not by software and not by AI.
The piece I can show Claude receipts for is the tooling around the property: Compliance Radar, a Node and Playwright scanner Claude built that checks an allowlist of sites, easyvob.com included, for tracking pixels like Meta and GA4, CCPA privacy links, and LegitScript status. For a site that handles healthcare leads, a stray ad pixel is a real liability, and this is the tripwire for it.
## how Claude was actually used
- 01
Classified the property before scanning it
In my compliance tooling, Claude wrote a site config that classifies easyvob.com as a Humbear Media B2B SaaS property, distinct from the covered-entity treatment center sites listed beside it. Different classification, different rule set: what is a violation on a treatment center site is not the same on a vendor site. That vendor-versus-covered-entity distinction is exactly the kind of detail that gets fudged when you do it by hand.
- 02
Built the watchdog, not the website
The clearest verified Claude work around EasyVOB is Compliance Radar: a Playwright-based scanner Claude built that loads a site once and runs every check in that one pass, detecting Meta Pixel, GA4, Google Ads, CallRail and similar trackers, plus CCPA link and LegitScript checks. easyvob.com ships in its default domain allowlist. The scanner reports evidence, actual pixel IDs and seal numbers found on the page, not opinions.
- 03
Accepted the safety rails I did not ask for
Claude shipped the scanner with a hard domain allowlist, an SSRF guard, rate limiting, mandatory auth in production, and a consent checkbox before any scan runs. It also deliberately refused to add a 0 to 100 compliance score, on the grounds that false precision creates defamation risk if the tool is ever pointed at a site I do not own. I kept every one of those decisions.
- 04
Got an honest handoff document
The session ended with a handoff doc listing exactly what Claude verified end-to-end, with the real evidence it found, and exactly what it could not test in its sandbox: the Docker build, the AWS deploy, the DNS. It left those as numbered decisions waiting for me instead of pretending they were done. That document is now my template for how every agent session should end.
- 05
Audited the stack for this very page
Before writing this log, Claude fetched the live homepage, the pricing page, and the portal login, and fingerprinted the stack from response headers and markup: WordPress on Hostinger LiteSpeed, PHP 8.2, Elementor, Contact Form 7, WooCommerce, LeadConnector, and a custom PHP Credits Dashboard. Everything in the stack list below comes from that audit, not from memory.
- 06
Stayed out of the PHI loop
Per the live site, VOBs are verified manually by a HIPAA-trained team. Claude is not in that loop, and that is the point: patient health information does not belong in a casual LLM workflow without a BAA and real controls. Claude's job on this property is the public-facing and compliance side, and drawing that line early made every other decision simpler.
## stack
## results (the verifiable kind)
- ✓Live at https://easyvob.com: a marketing site, a public pricing page with six credit-based tiers, and a separate login-gated verification portal at easyvob.com/verification-dashboard.
- ✓Homepage metadata on the live site shows a publish date of November 2024 and a last-modified date of December 2025, so the property has been live and maintained for over a year.
- ✓The full stack is observable from the live site and listed above; the portal is a standalone PHP app with its own auth, not a WordPress plugin.
- ✓easyvob.com ships in the default allowlist of Compliance Radar, the Claude-built scanner on my machine, and is classified in its site config as a Humbear Media B2B SaaS property with its own compliance rule set.
- ✓The scanner's checks were verified end-to-end against real sites during the build session, producing actual evidence such as specific tracking pixel IDs and a LegitScript seal number, documented in the project's handoff file.
## what I learned
- →Building on WordPress and hand-deployed PHP left me without receipts. There is no git history for EasyVOB, so I cannot reconstruct my own build timeline for this log. That is the thing that did not work: code-first builds give you proof for free, and this one has none.
- →Claude earns trust where its output is checkable. The compliance scanner reports evidence, real pixel IDs and seal numbers, instead of a score. Evidence survives an argument. A 0 to 100 rating does not.
- →The most valuable part of an agent session can be the refusals. Claude declined to add scoring, declined to scan domains without consent, and declined to claim it tested things it could not. I had to learn to read those as features.
- →Keep AI out of loops it has no business in. PHI plus a casual LLM workflow is a lawsuit with extra steps. Deciding early that Claude works around EasyVOB, not inside the verification loop, simplified everything downstream.
- →Your own marketing site will claim things you cannot prove yet. Auditing easyvob.com for this log surfaced claims, like client counts and turnaround times, that I now have to either back with data or tone down. Writing in public forces the audit.
$ follow --the-build
Watch it happen, don't take my word for it
Every build on this site gets documented as it happens — the prompts, the dead ends, the results. No course at the end of this funnel. There is no funnel.
follow on x →