SEED-luxury-rehab-session-2-complete-playbook

Session 2: Complete the Luxury Rehab Outreach Playbook

Purpose: Paste this entire file as your opening prompt in a new Claude Code session. Working directory: C:\_my\_solanasis Approach: Use /deep-plan to plan, then execute directly. Do NOT use /ultra-auto (it had file persistence issues in Session 1). Delete this file after use — it’s a prompt, not a deliverable.

---

PROMPT START

Context: What Was Done in Session 1

We started building a comprehensive national vertical outreach playbook targeting luxury/boutique residential addiction treatment centers. Session 1 completed:

1. Full research on 42 CFR Part 2 + HIPAA (verified, sourced)
2. Full research on treatment center breaches (8 specific incidents with names/dates/dollars)
3. Full research on EHR vendors (Kipu, Sunwave, BestNotes, Alleva + 5 others, with shared responsibility gaps)
4. Full research on competitive landscape (8 named competitors profiled)
5. Full research on conferences (8 events with dates/locations)
6. Full research on associations (NAATP, NBHAP, state-level)
7. Full research on marketing agencies as referral partners (7 agencies)
8. Read all reference playbooks for reuse analysis (DRY score: 45%)

What was NOT completed:

• TAM / market sizing (how many luxury rehab centers exist nationally)
• Geographic concentration data (clusters ranked by count)
• Directory sources analysis (SAMHSA, NAATP, LuxuryRehabs.com usability)
• PE in behavioral health (which firms, deal activity)
• Ownership model profiles
• Specific target facilities list with owner names and LinkedIn profiles
• The actual playbook document itself (nothing was written yet)

What Needs to Happen in This Session

Phase 1: Fill Research Gaps (~30 min)

A. TAM / Market Sizing

• How many luxury/boutique residential treatment centers exist in the US?
• What defines “luxury” (price $30K-$100K+/mo, private suites, amenities, private pay)
• Total residential treatment centers (SAMHSA baseline) → luxury subset estimate
• Market size in dollars for Solanasis

B. Geographic Concentration

• Rank clusters: Southern CA (Malibu, Newport Beach), FL (Palm Beach, Delray Beach), AZ (Scottsdale, Sedona), CO (Boulder, Vail), UT, HI, CT/NY
• Estimated facility count per cluster if findable

C. Directory Sources for Prospect List Building

• SAMHSA Treatment Locator (samhsa.gov) — can it filter residential + private pay? URL, usability, record count
• NAATP Member Directory — accessible? Filterable?
• LuxuryRehabs.com — how many listings? Structured data?
• Psychology Today treatment directory
• State licensing databases for CA, FL, AZ, CO, UT, CT, NY — specific URLs
• Google search operators (provide 10+ specific queries)

D. PE in Behavioral Health

• How many PE deals in behavioral health in 2025? (seed says 56)
• Which PE firms own luxury treatment centers? Name them.
• How does PE ownership change the buying process for IT security services?

E. Ownership Models

• Profile the 4 types: clinician-entrepreneurs, recovery advocates, investor groups, PE-backed
• Decision-making style, budget authority, sales cycle length for each

F. BUILD A SPECIFIC TARGET FACILITY LIST (This is new and critical)

• Use WebSearch to identify at least 50 specific luxury/boutique residential treatment centers by name
• For each, capture: Facility Name, Location (City, State), Website URL, Estimated Price Range, Bed Count (if findable), Accreditation, EHR System (if findable)
• Focus on the top clusters: Malibu/SoCal, Palm Beach/South FL, Scottsdale/AZ, Boulder/CO
• Search strategies:
  • "luxury rehab" Malibu site:luxuryrehabs.com
  • "luxury treatment center" "Palm Beach" residential
  • "executive rehab" Scottsdale private
  • "boutique treatment center" residential addiction
  • Search LuxuryRehabs.com, SAMHSA locator, Psychology Today, Google
• Try to identify the owner/CEO/Executive Director for each facility from their website
• For facilities where you can find the owner/CEO name: search LinkedIn to find their profile URL
  • Search: site:linkedin.com "[Owner Name]" "[Facility Name]"
  • Or: site:linkedin.com "[Owner Name]" "addiction" OR "treatment" OR "recovery"
• Output as a structured table in the companion TAM file

G. LinkedIn Scraping Strategy

• Write a Python script (save to solanasis-scripts/prospecting/) that:
  • Takes a CSV of facility names + owner names
  • Uses Google search (via requests + BeautifulSoup) to find LinkedIn profile URLs
  • Outputs enriched CSV with LinkedIn URLs
• Also write Google search operator templates for manual LinkedIn prospecting
• Include Apollo.io search filters specifically tuned for this vertical

Phase 2: Write the Complete Playbook (~2-3 hours)

Write the full playbook to: solanasis-docs/playbooks/Luxury_Rehab_Treatment_Center_Outreach_Playbook_2026.md

Write the companion TAM file to: solanasis-docs/playbooks/Luxury_Rehab_TAM_Research_2026.md

The playbook has 10 sections. Here is what goes in each, including the research findings from Session 1 that should be incorporated:

---

Section 1: Total Addressable Market (TAM)

• Market definition (luxury vs. standard)
• Market size estimate (from Phase 1A research)
• Geographic concentration ranked (from Phase 1B)
• Directory sources table with URLs and usability (from Phase 1C)
• Google search operators (10+)
• Action plan for building the 200-500 facility master list
• The specific target facilities list goes in the COMPANION file

Section 2: Segment Profile

• Ownership types (from Phase 1E): clinician-entrepreneurs, recovery advocates, investor groups, PE-backed
• Decision-maker personas table: Owner/CEO, Clinical Director, Operations Director, Compliance Officer — for each: title, what they care about, how to reach, what language resonates, buying authority
• Org structure at a 20-40 person luxury facility: clinical staff, admin, marketing, admissions, billing
• Tech stack: EHR systems + shared responsibility gap

Session 1 EHR findings to incorporate:

• Kipu Health — Market leader. HITRUST certified. 256-bit AES encryption. Signs BAA. Hosts Elevate conference (April 22-24, 2026, Carlsbad CA, 300+ attendees). Facility must still handle: risk assessments, staff training, endpoint protection, access management, IR planning, network security.
• Sunwave Health — Cloud-based, merged with Lightning Step Oct 2025. Post-merger support reportedly weaker. HIPAA compliant.
• BestNotes — $58/user/month (transparent pricing). ASAM-compliant. AI charting reduces documentation 70%.
• Alleva — Full EHR + CRM + RCM. U.S.-based support. HIPAA compliant.
• Also: Behave Health (EHR + consulting arm Behave360), Cantata Health/Arize (EHR + managed IT), Dazos (data analytics middleware), ICANotes

Key finding: Every EHR vendor operates on shared responsibility model. Vendor covers app-level security. Facility must cover: risk assessments, staff training, endpoints, network, physical security, vendor management, IR planning, 42 CFR Part 2 consent, patch management, email security, non-EHR data backup.

• Existing vendor relationships: clinical compliance consultants, EHR vendors, insurance billers, marketing agencies, MSPs
• How they currently handle IT: owner/admin does it (most common), local MSP (some), nobody (common), dedicated IT (rare under 60 employees)
• Language shift table (DO/DON’T vocabulary for talking to treatment center staff — min 8 rows):
  • DON’T: “cybersecurity assessment” → DO: “client data protection review”
  • DON’T: “vulnerabilities” → DO: “privacy exposure points”
  • DON’T: “penetration testing” → DO: “controlled security validation”
  • DON’T: “threat actors” → DO: “unauthorized access risks”
  • DON’T: “attack surface” → DO: “areas where client data could be accessed”
  • DON’T: “data breach” → DO: “unauthorized disclosure of client records”
  • DON’T: “endpoint security” → DO: “device protection for staff tablets and laptops”
  • DON’T: “network segmentation” → DO: “separating clinical systems from guest Wi-Fi”

Section 3: Pain Points & Service Mapping

Map each pain point to a Solanasis service with deliverable, pricing, and talk track.

Session 1 findings to incorporate for 42 CFR Part 2:

• Feb 16, 2026 compliance deadline has PASSED. OCR actively accepting complaints and breach notifications.
• Key changes: single consent for TPO, HIPAA breach notification now applies, criminal penalties replaced with HIPAA-style civil penalties
• Penalty tiers: Tier 1 $145-$73K/violation; Tier 2 $1,461-$73K; Tier 3 $14,602-$73K; Tier 4 $73,011-$2.19M per violation
• IT controls now required: encryption (rest + transit), access controls (minimum necessary), audit controls, data segmentation for SUD records, breach detection capability, formal security policies
• First enforcement action already taken: Top of the World Ranch Treatment Center (IL) — $103,000 settlement for failed risk analysis after phishing attack exposed 1,980 SUD records (Feb 19, 2026 — just 3 days after enforcement began)
• OCR Civil Enforcement Program for SUD Records launched Feb 13, 2026

Session 1 findings for HIPAA Security Rule proposed overhaul:

• NPRM published Dec 27, 2024. Final rule expected ~May 2026. 180-day compliance window.
• ALL implementation specs become mandatory (no more “addressable” vs “required”)
• Mandatory MFA for ALL ePHI access
• Mandatory encryption at rest AND in transit
• 72-hour recovery requirement
• Network segmentation required
• Vulnerability scanning every 6 months, pen testing every 12 months
• Technology asset inventory (including AI tools)
• Annual compliance audits
• Documented, tested incident response plan

8 pain points to map: A. 42 CFR Part 2 compliance gap → ORB with Part 2 overlay ($12.5K-$19.5K with +35% compliance uplift) B. HIPAA Security Rule → ORB + remediation sprint C. Client data discretion audit (THE unique Solanasis angle) → ORB “Discretion Audit” add-on D. Wire fraud / BEC ($30K-$75K payments) → ORB email/collab domain + staff training E. Vendor security assessment (EHR, billing, marketing agency) → Vendor BAA review in ORB F. Incident response planning (Part 2 now requires breach notification) → Remediation sprint deliverable G. Cyber insurance readiness → ORB produces insurance-questionnaire-ready documentation H. Staff training → Fractional retainer includes quarterly training

Section 4: Customized ORB for Luxury Rehab (“Client Data Protection Review”)

Adapt the standard 10-day ORB methodology. Keep 10 days, 3 calls. Replace 6 generic domains with 8 rehab-specific domains:

1. EHR & Clinical Systems Security
2. Identity & Access Management
3. Network & Physical Security
4. Email & Communications Security
5. 42 CFR Part 2 Compliance Controls
6. Vendor & Third-Party Assessment
7. Backup, Restore & DR Readiness
8. Incident Response & Breach Readiness

Day-by-day outline, report deliverable structure (including “Discretion Score” — 1-5 scale), pricing strategy ($10K-$17K range for luxury), upsell path (ORB → remediation $9K-$35K → retainer $2.5K-$5K/mo → annual reassessment $7.5K-$10K).

Reference existing ORB Pack v2 files: solanasis_orb_pack_v2/02_Internal_Delivery_Playbook.md, 03_Pricing_And_Packaging_Internal.md, 16_Remediation_And_Retainer_Options.md

Section 5: Pitch Deck Outline

11 slides, detailed enough to build in Canva:

1. Title
2. Opening hook (emotional — client data exposure scenario)
3. Regulatory landscape (Part 2 + HIPAA timeline)
4. Industry statistics (from breach research)
5. The Discretion Gap (“Your clients pay for privacy. Can your IT deliver?“)
6. What we assess (8 domains visual)
7. Case study (hypothetical — “What we typically find at a 30-bed luxury facility”)
8. The deliverable (report structure + Discretion Score)
9. Pricing & engagement options
10. Why Solanasis
11. CTA

Design notes: deep navy (#1B2A4A), warm white (#F5F1EB), accent gold (#C4A265). No stock hackers.

Section 6: Apollo.io + Multi-Source Prospecting Guide

Apollo filters for luxury rehab (adapt Search 10 from apollo-io-cheat-sheets-2026-03-25.md):

• National, C-Suite/Owner/Founder, headcount 11-200
• Industry: Hospital & Health Care, Mental Health Care
• Keywords: treatment center, rehab, recovery, addiction, residential treatment
• Exclude: methadone, outpatient, community health, county, government
• Luxury filtering: keyword signals (luxury, executive, private, boutique), location targeting (known clusters), manual website review

Multi-source: SAMHSA, NAATP, LuxuryRehabs.com, Psychology Today, state licensing DBs, LinkedIn, Google operators, insurance directories.

Credit-efficient strategy (10 exports/month on free plan). 5-step Apollo sequence template. Master prospect list building action plan.

Section 7: Outreach Messaging

Tone: Professional, compliance-focused, empathetic. NOT fear-mongering.

• 4 cold email variants (75-100 words each): A. Regulatory hook (Part 2 deadline) B. Discretion gap hook C. Peer proof / what we’re seeing D. HIPAA Security Rule timing
• 10 ranked subject lines (lowercase, 2-5 words)
• 5-step email sequence with full copy
• 3 LinkedIn connection request variants + follow-up messages
• Phone script (warm, consultative) with discovery questions and objection handling
• One-pager content outline (PDF leave-behind)

Reference: solanasis-cold-email-outbound-master-playbook-2026.md, solanasis_orb_pack_v2/15_Outreach_Pack.md

Section 8: Competitive Landscape

Session 1 findings to incorporate:

Direct competitors (behavioral health IT):

1. IT For Addiction (itforaddiction.com) — Cooper City FL. Managed IT exclusively for addiction treatment. 20+ years. Most direct competitor. Appears small, South FL focused.
2. Atlantic Health Strategies (atlanticbehavioral.com) — IT managed services + behavioral health consulting. Claims 40-60% savings vs internal IT. Knows HIPAA + 42 CFR Part 2.
3. Cantata Health — EHR (Arize) + managed IT services. Acquired Geisler IT Services.
4. Power Solution (powersolution.com) — NJ only. Using Feb 2026 Part 2 deadline as sales hook.

Broader players: 5. Clearwater Security — Healthcare MSSP. 500+ customers. Enterprise-level (likely too expensive for SMB treatment centers). 6. Compliancy Group — HIPAA compliance SOFTWARE ($99/mo+$8/employee). Preferred HIPAA partner for NAATP. Paper compliance, not IT. Potential REFERRAL PARTNER. 7. PYA — Advisory firm, behavioral health compliance consulting. Not IT-focused. Potential referral source. 8. Behave360 (Behave Health) — EHR vendor’s consulting arm. HIPAA/Part 2 compliance, mock audits.

Key gap: No dominant national player for SMB treatment center IT security. Market is fragmented.

Solanasis differentiation:

• Part 2 + IT intersection (clinical compliance people don’t do IT; IT people don’t know Part 2)
• Discretion audit (unique — nobody else offers this)
• Independence from EHR vendor
• Remote-capable national delivery

Include: differentiation matrix table, competitive response scripts for “We already have…” objections.

Section 9: Sales Process & Timeline

Remote sales process (7 steps), discovery call structure with rehab-specific questions, objection handling (“can you do this remotely?”, “we have an IT guy”, “we passed our HIPAA audit”, “our EHR handles security”), referral strategy, conference/association strategy, content marketing angle.

Session 1 conference findings:

• NAATP National 2026: May 4-6, Amelia Island FL. 600+ attendees, 70 exhibitors. Theme: “Future-Proofing Treatment: Technology in a People-Centered Workplace.” HIGHEST PRIORITY.
• Kipu Elevate 2026: April 22-24, Carlsbad CA. 300+ treatment providers.
• NatCon 2026: April 27-29, Denver CO (LOCAL!). Thousands of attendees.
• BHT 2026: Sept 22-24, Nashville. Most tech-focused. $2,098-$3,148.
• NAADAC EMPOWER2026: Aug 29-31, Kansas City. 1,000+ attendees.
• Becker’s BH Summit: April 15-16, Chicago.
• CBHC Conference: TBD 2026, Colorado (local).
• BHNR Conferences: 2-3/year, Pompano Beach FL area.

Session 1 association findings:

• NAATP: Affiliate membership available for vendors. Gets listed in vendor directory visible to all provider members nationally. Contact: 888.574.1008.
• NBHAP: Multiple membership tiers including Associate and Premiere Partner.
• State: CBHC (CO), CCAPP (CA), FBHA/FADAA (FL), AAAP (AZ).

Session 1 referral partner findings (marketing agencies):

• BHNR (Behavioral Health Network Resources) — Pompano Beach FL. Owns 12 LinkedIn groups (50K+ members), 45 Facebook groups (150K+ members). Runs 2-3 conferences/year. LED BY Charles Davis (561-235-6195). STANDOUT referral partner.
• MGMT Digital — Team includes former treatment center operators.
• Dreamscape Marketing — Acquired by Unlocked Health. Compliance-aware.
• Argon Agency — South FL. Full-service.
• Webserv — Team includes former treatment center operators, admissions staff, clinicians.
• Lead to Recovery — Admissions-focused.
• Behavioral Health Partners — Full-service.

Section 10: Success Metrics & Go-to-Market Timeline

30/60/90 day milestones, weekly activity targets, conversion rate assumptions, revenue targets (Year 1: $110K-$320K from this vertical), investment decision points (paid Apollo at 3 ORBs, LinkedIn Sales Nav at 5 ORBs, sub-branding at 8+, NAATP conference at 10+).

---

Key Stats for Outreach Copy (From Session 1 Research — Use These)

Stat	Value	Source
Healthcare breach average cost	$7.42M	IBM/Ponemon 2025
Healthcare costliest sector	14th consecutive year	IBM/Ponemon 2025
Average detection + containment	279 days	IBM/Ponemon 2025
Large breaches reported to OCR (2024)	742	HIPAA Journal
Individuals affected (2024)	289,162,330 (record)	HIPAA Journal
Healthcare breaches involving insiders	70%	Verizon 2024 DBIR
Healthcare orgs hit by ransomware (2024)	67%	Sophos
OCR collections (2024)	$9.9M	HIPAA Journal
OCR settlements/CMPs (2025)	21 total, $6.6M+	HIPAA Journal
Max per-violation penalty (Tier 4)	$2,190,294	HHS
Risk Analysis Initiative actions	12 by early 2026	OCR
AAC breach (Sept 2024)	422,424 records, $2.75M settlement	HIPAA Journal
BayMark breach (Sept-Oct 2024)	16,548 records, 1.5TB exfiltrated	BleepingComputer
Top of the World Ranch (Feb 2026)	$103,000 OCR settlement, 1,980 records	HHS.gov
Deer Oaks (July 2025)	$225,000 OCR settlement, 171,871 records	HHS.gov
Both largest SUD providers breached	Within 3 weeks of each other (Sept-Oct 2024)	Multiple
BH EHR market size (2025)	$4.1B globally	Credence Research

Breach Incidents Table (For Pitch Deck — All From Session 1)

Facility	Date	Type	Records	Outcome
American Addiction Centers	Sept 2024	Ransomware (Rhysida)	422,424	$2.75M class action settlement
BayMark Health Services	Sept-Oct 2024	Ransomware (RansomHub)	16,548	1.5TB data published (didn’t pay)
Therapeutic Health Services	Feb 2024	Hacking	14,000+	$790K settlement
Behavioral Health Resources	Nov 2024	Data incident	50,083	$1.1M settlement
Seven Counties Services	Jul-Aug 2024	Data breach	Unknown	Up to $1M settlement
Kitsap Mental Health Services	Oct 2024	Data breach	~70,759	Class action settlement
Man Alive/Lane Treatment Center	Pre-2025	Ransomware	Unknown	Data posted on dark web
Deer Oaks (OCR settlement)	2021-2023	Public exposure + ransomware	171,906	$225K OCR + 2-yr corrective plan
Top of the World Ranch (OCR)	2023 (settled Feb 2026)	Phishing	1,980	$103K OCR + 2-yr corrective plan

---

Reference Files to Read Before Writing

Read these for context, voice, and frameworks. Reference, don’t duplicate:

• Master GTM Playbook: solanasis-docs/playbooks/Solanasis_Master_GTM_Playbook_2026.md
• Cold Email Master Playbook: solanasis-docs/playbooks/solanasis-cold-email-outbound-master-playbook-2026.md
• Apollo Cheat Sheets: solanasis-docs/playbooks/apollo-io-cheat-sheets-2026-03-25.md
• Brand Voice: solanasis-docs/solanasis-voice-profile.md
• Outreach Options: solanasis-docs/playbooks/outreach-options-march-2026.md
• ORB Pack v2: solanasis-docs/playbooks/solanasis_orb_pack_v2/ (especially 02, 03, 15, 16)
• ICP Pain Briefs: solanasis-docs/reference/icp-pain-briefs-2026-03.md (Section 2: Healthcare)
• Estate Attorney Kit: solanasis-docs/playbooks/Estate_Attorney_Cold_Outreach_Kit_v1.md (structural pattern)

Tone & Format

• Professional, compliance-focused, empathetic. NOT fear-mongering.
• “Protect your clients and your license” not “you’re going to get hacked”
• Actionable checklists over academic analysis
• Actual copy (emails, scripts) not placeholders
• Tables for comparisons, bullet points for lists
• Obsidian-compatible markdown (no MDX)
• kebab-case for new files (but the playbook filename uses underscores per convention with existing playbooks)

Planning Approach

Use /deep-plan to plan the approach. The work breaks into:

1. Research gap-fill (~30 min): TAM, directories, PE, ownership + specific facility list building
2. Write Sections 1-4 (~45 min): TAM summary, segment profile, pain points, custom ORB
3. Write Sections 5-8 (~45 min): pitch deck, prospecting, outreach messaging, competitive landscape
4. Write Sections 9-10 + assemble (~30 min): sales process, metrics, header, TOC, QA
5. Write companion TAM file (~20 min): detailed TAM with specific facility list
6. Write LinkedIn scraping script (~15 min): Python script for enriching prospect list
7. Run senior-reviewer on finished playbook (this is a strategic deliverable)

After Writing

Run the senior-reviewer agent on the finished playbook — this is a strategic deliverable targeting a new national vertical.

Also clean up:

• Delete this seed file
• Delete the original seed file (SEED-luxury-rehab-outreach-playbook.md) per its own instructions
• Delete any temp files in solanasis-docs/temp-working/rehab-*
• Update .ultra-plans/luxury-rehab-outreach-playbook-STATE.md to Completed

PROMPT END