Episode 31: From Pixels to Privacy – The Evolution of Healthcare Data Compliance

In this episode of the Digital Clinic, we dive into the evolving landscape of healthcare data compliance with Adam Putterman, Co-founder of Ours Privacy, discovering how his company charted a new course from a telehealth platform to a HIPAA-compliant customer data platform that’s reshaping healthcare marketing. 

The conversation reveals the significant transformation healthcare organizations are navigating, moving from pixel-heavy tracking to privacy-first marketing strategies, sparked by evolving regulations and increased enforcement. Whether you’re navigating the complexities of state privacy laws, implementing consent management platforms, or aiming to maintain marketing performance while ensuring compliance, this episode offers practical insights into how healthcare companies can balance growth with privacy protection in an increasingly regulated landscape. 

Listen & Subscribe:

The Origin Story of Ours Privacy

Aaron Burnett: I am really curious about the history of Ours Privacy. Tell me the story of the company. 

Adam Putterman: We get this question a lot because it’s a bit of an odd story. Depending on your experience or how you look at it, people either have a very extreme reaction of surprise or “Oh, of course that’s the only way to do it,” which is fun to see how people react. 

At a high level, the story starts when me and my two co-founders started a different company way back in maybe late 2019, 2020, on the provider or platform side. So we started a company called Ours Therapy, which, if you know the name of our current company, you’ll see that we’re very uncreative when it comes to naming. 

We started a company called Ours Therapy that was a telehealth platform for marriage counseling, relationship counseling, and counseling and coaching. All things in that sort of vertical. That business grew very strongly and reliably off the back of paid search and paid social. At the same time, we were storing and dealing with incredibly sensitive data. Like people coming to us for help with their most sensitive and important relationships. We had a really hard-line conservative stance on privacy and security from the beginning. 

Then in 2021 and 2022, with what was going on with Meta and all the lawsuits that were going through, and then with the new HHS guidance, the OCR action, FTC action, and increasing state privacy laws, all of that, we wound up in a place where we were completely pixel-less. No third-party scripts or anything on the site. That was effective and valuable from a privacy and security perspective, but as a person that was running growth and marketing, it was challenging, to say the least. 

So we felt like we were faced with this impossible challenge of growing the business or respecting the privacy of our patients and the federal and state guidelines or guidance with legislation. Luckily for us, our product team and really one of my co-founders, Tyler the CTO, had a really deep background in MarTech and marketing technology. 

So we built this sort of internal lightweight CDP to start, that enabled us to work with these ad platforms and analytics platforms in a way that was privacy safe, HIPAA-compliant, et cetera. It started very small, very much a point solution. It drove a lot of growth for the business, so we kept investing in it; It kept growing. I think after the 15th time we had a partner or a peer ask us how we were solving this problem and if they could use the tool– we spun it out into Ours Privacy, so that’s where the boring name comes up because we weren’t going to spend time on redoing the name. That’s the origin of Ours Privacy, which is a HIPAA-compliant customer data and privacy platform; We help healthcare companies compliantly advertise, run analytics, connect data. 

Aaron Burnett: It’s always inspiring to hear where the market has pulled the solution out of an existing company and slapped you in the head a few times to tell you that there’s a business opportunity. 

Adam Putterman: Yeah. We always joke that it was like the first 10 times we said, “No, thank you. That’s a distraction.” We felt really smart, focused, and disciplined. Then, now looking up where the platform and the company is now, it’s like, “Man, we should have said yes the second time or the third time, at least.” Like 10 times? That’s too many. 

Aaron Burnett: You might not have been ready the first or second time. 

Adam Putterman: True. 

Aaron Burnett: Only to the good. So tell me about how the platform works. 

The Architecture and Implementation of Server-Side Privacy Solutions

Adam Putterman: What resonates the most with me is that we act as a filtering layer or connecting node between covered entities, healthcare companies, sensitive data providers, and all third-party ad and analytics sources and destinations of data. So what happens is we sign a BAA with our clients. They’re able to remove any third-party pixels on the site and just work with us. All of that data then hits our HIPAA-compliant servers first, whether it’s a source or a destination of data. Like a CRM versus a Meta. Everything is blocked by default; Nothing goes anywhere by default; everything’s blocked. 

Then, from there, what we do is make it very easy to have complete control over what data goes where, in what manner. You can strip anything you’d like, modify anything you’d like, scrub, obfuscate anything you’d like before it goes somewhere else, so that’s important for doing things like removing IP addresses and sensitive UTM or URL paths, for obfuscating the names of server site events and ensuring that you’re respecting CMP or consent opt-outs, things like that. 

Aaron Burnett: In terms of integration with other third-party platforms, this is all server-side connections. You’re doing server-side collection as well. When you implement with a client, do you become the default and only means of data collection? Do you displace, then you remove all other third-party tracking? 

Adam Putterman: I would say 90% of the time, that’s true. 10% of the time, particularly for very large, very complex orgs or very new sort of scrappy, messy orgs, there’s something else running in parallel that we’re either pushing or pulling from, or that’s just truly in parallel, but 90% of the time, how you described it is right. 

Aaron Burnett: Talk me through an implementation. First of all, I think one of the things that’s quite impressive about your platform is the speed to implementation. Talk me through what’s required to implement, what sort of timeline? Who needs to be at the table? 

Adam Putterman: In some ways, every company is a snowflake. Unique in its own way, and has different teams. We work with some organizations where we are only working with marketing. It’s very straightforward. It’s very simple. I think the fastest we’ve ever had someone up and running is two hours. Very lean team. Every decision maker’s there. We’re just working with the marketing team. 

Then you have other organizations, particularly like a large health system or urgent care center chain, DSO, DNA testing, things like that, where there’s just going to be a certain minimum number of stakeholders that need to be involved in every meeting. That’s marketing, that’s legal and compliance, and that’s like the engineering or IT team, depending on what they call it, as well as ops, and it really just starts to cover across the whole organization. 

Regardless of what happens, we like to start everything with an audit, and it’s both a technical audit as well as a sort of organizational audit of who needs to be there in order to make certain decisions, approve certain things. Because it touches everything, it’s not just ad optimization or analytics, it’s also the data collection. Because a lot of what you want to track and optimize for is directly related to what the customer experience is, and there’s a two-way path there when things are going well. 

Aaron Burnett: The takeaway from that answer, the speed of implementation is really fast. The limitation is maybe a change management limitation based on the complexity and the ability to implement in a nimble fashion on the organization side. 

Adam Putterman: 100%. The only other thing I would say that can sometimes slow down implementation, because it’s really a technical factor, is third-party vendor interactions. Particularly on the technical side. If you have 10 companies that need to talk to each other outside of the client, it’s going to be a problem. Everyone has different SLAs around customer service, different preferences around email, Slack, Teams, and calls. Sometimes that can be challenging, to say the least. 

The Impact of Privacy-First Marketing on Daily Operations

Aaron Burnett: So I’m a digital marketer. Ours Privacy has been implemented. What changes for me? I’ve gone from this world where I am using third-party tracking. I’ve maybe got a compliance team that has high risk tolerance, but I’m now being careful, and I’m using Ours Privacy. How does my job change? How does the data to which I have access change, and how do I continue to be effective? 

Adam Putterman: It’s a fantastic question. Again, I’m probably going to sound like a broken record, but it depends so much on what the before is. So we see very different types of companies. The first one we see is a system that in ’21 or ’22, pulled everything from the site– it has been flying completely blind, no analytics, no ads, nothing in place. Now they’re realizing that this is the new normal. It’s not going away. It’s not something you can ride out. They find our tool, and in that case, they’re ecstatic. Because they can do their job in 10x more ways than they could previously. There’s no more guesswork, and they get to show the ROI of all the work that they’re doing. They get credit for all the work marketing’s doing, which is great. 

So in that case, it’s very simple. They go from pushing campaigns and then waiting and watching to being able to do all the things that any digital marketer wants to do, like split testing, launching new channels, AB testing, and different optimization choices. Because it’s not always true that the lower in the funnel you go, the better, which I think I actually saw you give a great talk about at Sway. 

So that’s the first path. The second path is someone that was fully pixeled up, for lack of a better term, realizing that’s not feasible anymore or not advisable, and is switching over. So switching over to us. To be frank, there’s some disadvantages to that. This does not come without a cost. They are now potentially or almost definitely sending less data back to ad platforms than they were before. So they might have to get a little bit more creative in how they’re running campaigns or optimizations, things like that. 

On the other hand, though, they now have access to server-side connections across all platforms. So a big thing we see in that scenario is relief around “I don’t have to go to engineering if I want to launch Meta through CAPI”. “I don’t have to go to engineering and set up all these events, do all these things. I can just point and click to do it.” So huge relief there around the velocity of new experiments and channels that you can run. 

Data Collection vs. Data Sharing and Consent Management

Aaron Burnett: Philosophically, and I guess architecturally, is your approach that you collect relatively full fidelity data? You don’t share full fidelity data, but you are collecting fairly robust data to which digital marketers at client companies have access. But you are controlling with the fine-grain filter anything that’s shared. So the difference I guess, methodologically or operationally for a digital marketer is I can still get the insights I need, but I’m going to get them in this walled garden rather than on third-party platforms and the change in art is that I need to determine my insights in the context of the data to which I have access, and then I need to implement those insights in an independent fashion in third-party platforms without sharing data that I’m not supposed to share. Is that an accurate description and explanation? 

Adam Putterman: Yes, I think you brought up a really great point, which is that there’s nothing wrong with the collection of data if you have proper consent. The problem is where you share it, and particularly when 99% of the places you need to share it are not going to sign a BAA. But you do bring up a really important point, and I’m really curious if you’re seeing this as well, but I would say of the top three things that we’re seeing as a major trend of 2025, like coming up increasingly in conversations that we were not hearing in 2024, one of the top three things assuredly is consent management. 

I remember in 2024 having dozens of discussions around “We’re not in the EU. This isn’t GDPR.” With the sort of explosion of state privacy laws and the state and civil action that has followed them, consent, I think, is the sort of thing that we’re all going to be talking about in 2026 as “Oh, why didn’t we do this? How could we do this faster?”  type of thing. I’m curious if you’ve seen the same. 

Aaron Burnett: So we see the same thing and then the complement to consent management, which is testing and monitoring of consent management. To ensure that, alright, fine, you set up your consent management platform and you thought it was working in this way, it would be a good idea to routinely test that as well and to make sure that you’re actually respecting the consent or lack of consent that you’re getting. 

Adam Putterman: It’s almost worse. Yeah, you bring up a good point, which is the only thing worse than not collecting it at all would be to appear to respect the preference and not. 

Aaron Burnett: So I interviewed the CEO of ObservePoint a few weeks ago, and he said they have never once scanned a new site and found that it was compliant from a consent management perspective, not one time. And that’s our experience as well. 

Adam Putterman: That’s amazing. I feel like we see the same thing with, I have never spoken to anyone that understood 100% of the things that they had on the site. There’s always something that they didn’t realize was either on the site or was on the site, sharing data back. Even if it’s something like a YouTube embed, that’s just like, how could you know that if you didn’t spend all your time in this world? 

Aaron Burnett: So I saw some of the content on your site, particularly in your blog, talking about the pernicious danger of video embeds and that sort of thing on a site, and that’s a really stealthy way that people get into trouble. It seemed benign to put this video on my blog, and it came with a payload of all sorts of data collection that it shouldn’t be doing. 

Adam Putterman: Yeah it’s funny, it’s like the Trojan horse of this space. Like video and maps, I would say, are another thing that had a spike in 2024 for a little bit, and then has been a little bit quiet in the space, I think, for Q1 of this year, and then now is starting to pop again. Particularly, again, it all comes back to these states getting more involved, I think, in healthcare with the VPPA. There’s nothing wrong with tracking on a blog post. But then the challenge is what is the blog post? Like the data, you have to go beyond that. If you’re on a post that’s symptoms for condition X or book an appointment for condition Y, that’s very different type of data to be sharing back. Like it matters the type of page, particularly with things like this Healthline case where they cared a lot about inference. Those are also often the pages where you’re going to see a map or a video, not just a pixel. 

The Implications of Legal Rulings and State Privacy Laws

Aaron Burnett: I also have a thesis that the ruling which appeared to favor AHA, was really narrowly tailored. It was principally about the administrative errors in the way the guidance was offered. What the judge said is not “This is wrong.” What he said was, “You did it wrong. You violated the Administrative Procedures Act, and there’s a different way you need to do this.” So I have a suspicion that the aspects of the OCR guidance that were ruled invalid are going to come back. They’ll be differently offered, and differently published, and differently implemented, but they’re still going to come back. 

Adam Putterman: I totally agree. I think even if you do read it in the most non-conservative way, at the very least, it was a validation of the other 99% of the guidance that was not discussed. Which I think people gloss over. They’re like, “Great, this part was revoked.” I’m like, “But by definition, the other part was enforced, or validated, or pushed further.” It’ll be really interesting. 

Aaron Burnett: And as you point out, there’s so much happening at a state level. That, regardless of what happens with the OCR guidance, you have to comply with these state regulations, and enforcement action around those state regulations is ramping up. So it doesn’t make any sense to be cavalier. 

Adam Putterman: Let’s take the thesis that if you’re dealing with an unauthenticated page, you don’t have to worry at all for some reason. It’s not PHI. What’s interesting is that most of these state data laws, like you look at Washington, they carve out PHI as non-relevant. It may not fall under HIPAA concerns, but now it falls under My Health My Data concerns, which in many ways are more stringent or more onerous around what you need to do. So you almost want it to be PHI so it’s part of the carve out, and there’s now this weird game theory aspect of I could see a world where the AHA at some point is suing to expand the definition of PHI so that they’re carved out from all these state privacy laws and at least don’t have to deal with a patchwork anymore. 

The Classification of CDPs and Future Privacy Regulations

Aaron Burnett:  Exactly. And which state privacy laws actually create the carve-out, and which don’t have the carve-out? Let’s jump back up to capabilities. So you mentioned that you are running a CDP. A CDP is a term that’s bandied about a lot in this industry. There are different flavors of CDPs. You have the Goliath CDPs that promise to do all things, including real-time personalization and tie into AI and all sorts of things, and you have lighter-weight CDPs that are more utilitarian and more about lightweight data collection to inform digital marketers in the near term, but not offering real-time personalization or any of the other complexity. Where does Ours Privacy fall on that continuum? What features and functionality do you offer? 

Adam Putterman: I almost would explicitly describe it as a lightweight CDP. There’s one to many dispatch. There’s identity stitching. There is connection and collection across various sources and destinations, but it is by no means a full-stack CDP. It has a focus on marketing data. It has a focus on privacy and compliance. So I would either describe it as a lightweight CDP or a privacy and compliance-focused CDP. 

Aaron Burnett: Sure. That makes sense. I am curious about your perspective on privacy regulations. We’ve talked about healthcare, med tech, and HIPAA-covered entities. What do you think will be the evolution of privacy regulations as it pertains to other industries over the next five, 10 years? 

Adam Putterman: It’s a great question. I think that the first thing we think about a lot, and I’m starting to sound again like a broken record, is just the states. That feels like the thing that’s going to dictate everything, and the states seem to care a lot. Most of these privacy laws, although they have carve-outs and extra provisions for various sectors, industries, types of data, they raise the floor of what’s required so much beyond anything that the average company is thinking about today that it almost doesn’t matter. I think that’s going to be the primary driver, one. 

Then two, I think consumer sentiment, if anything, is continuing to push towards an expectation of more and more privacy. I think there was a period maybe five, 10 years ago where that was really in question. People weren’t sure if the broader market would care or would almost push companies more towards usage. But people certainly seem to increasingly prefer privacy-focused, privacy-forward, privacy-led marketing, and it’s becoming more and more important. I think a lot of the panic around the 23andMe acquisition as part of that, or as a good bellwether there as well. I feel like we’re going to have a really, not exciting, but volatile two to three years as these, not just the privacy laws come live, but the implications of. We’re so early in terms of seeing the implications of these AGs and the states actually enforcing, and then what the domino effect will be. 

The Potential of AI Privacy and Federal Data Aggregation

Aaron Burnett: My thesis is that the privacy laws that currently most impact healthcare, med tech, and healthcare-related industries are coming for all industries, over time. My thesis is that part of that certainly will be driven by state regulations and increasingly rigorous regulation there, but I also think there’s a nexus of a few other dynamics that are going to come into play. You are right. Consumer expectations around privacy are increasing. 

I think we also are likely to see the negative impacts and probably some really notable, really prominent negative impacts of a lack of privacy protections around artificial intelligence. You have no expectation of privacy if you’ve not configured things correctly when you start to use ChatGPT or Claude or anything else. So they are actively slurping up data, both through their data training models, but also through usage. I think it is likely that some bad things will happen there. 

I also think we’re seeing what is likely to be a troubling aggregation of previously disparate and siloed data sets at a federal level that will be alarming to people. I think the implications of that aggregation will be alarming, and I think that privacy will become an even more critical societal issue and a commercial issue. So I think you’re well-positioned to focus on privacy and to be very focused with your CDP. 

Adam Putterman: We know what we want to do, and that’s all we want to do. We say no to a ton of things every day and just keep pushing this further and further for the companies we work with and the people we’re trying to serve. 

Aaron Burnett: I appreciate the time. It was a great conversation.