Episode 38: Turning Privacy Into Performance – A Guide to Compliance Monitoring for Healthcare 

In this episode of the Digital Clinic, we explore the critical world of compliance monitoring with Michael Wiegand, Director of Marketing Sciences, and Emily Brooks, Front End Developer at Wheelhouse DMG, uncovering how healthcare organizations can transform regulatory requirements into competitive advantages through continuous website monitoring. 

The conversation reveals a striking reality: no healthcare website has ever passed its first compliance audit. Michael and Emily share their hands-on experience implementing ObservePoint for HIPAA-covered entities, explaining why consent management platforms shouldn’t police themselves, how daily monitoring protects both revenue and reputation, and what actually happens when you scan a healthcare website for the first time. Whether you’re documenting HIPAA compliance for regulators, managing complex tech stacks accumulated over years, or trying to ensure your consent promises are actually kept, this episode offers a practical roadmap for building confidence through independent monitoring that serves legal teams, marketing departments, web developers, and IT stakeholders alike. 

Download the Ultimate Guide to Compliance Monitoring:  https://www.wheelhousedmg.com/insights/research/privacy-compliant-martech-guide/compliance-monitoring-and-auditing-tools/  

Listen & Subscribe:

What Is Compliance Monitoring? 

Aaron Burnett: I am here talking with Michael Wiegand, who is Director of Marketing Sciences, and Emily Brooks, who’s a front end developer for Wheelhouse Digital Marketing Group. We have published this fantastic new guide, the Ultimate Guide to Compliance Monitoring, Audit, and Auditing Tools. Michael and Emily are experts in this space and were a big part of putting this information together. I thought, who better to speak with than the two experts who know much more than I do, or anyone else who maybe wrote some of this prose. Let’s start off with the fundamentals. Let’s talk about defining what compliance monitoring is and why it’s important for certain industries. Michael, you want to kick things off? 

Michael Wiegand: Yeah, that sounds great. Thanks, Aaron, for having us. First of all, I’ll say that compliance monitoring is an outside-in way for you to scan your web properties and make sure that you’re not doing anything uncompliant, if that’s a word. 

Aaron Burnett: It is now. 

Michael Wiegand: Just coined. So, what it allows you to do is scan for things like tracking tags, cookies, data layers, and network requests that are going out to third parties and to your own servers. You’re able to understand if you have honored the user’s consent, if that data has successfully been sent, and if it’s structured in a way that will allow you to activate for marketing purposes but still align with your compliance standards. 

Aaron Burnett: We focus on privacy-first industries, principally healthcare and medical device manufacturing. Most of our clients are HIPAA covered entities. Why is compliance monitoring critical for businesses in those verticals? 

Why Healthcare Organizations Face Higher Compliance Standards 

Michael Wiegand: First of all, you’re held to a lot higher standard. OCR and HHS are watching for one. With the recent lawsuits that have come up in this space against companies that have been doing online advertising and collecting data that they shouldn’t be about customers, there’s an increased magnifying glass on a lot of this activity online. We need to make sure that we’re honoring patient and web visitor preferences so that you don’t get caught unawares by these kinds of audits and that you have a paper trail for this sort of thing. 

Aaron Burnett: Emily, you’re on the front lines implementing compliance monitoring. You have implemented our own compliance monitoring solution in years past, and we now use a platform called ObservePoint. Can you tell me a bit about our decision to shift to ObservePoint and what you have appreciated about working with ObservePoint? 

Why We Switched from In-House to ObservePoint 

Emily Brooks: Yes, that’s a great comparison. What I appreciate so much about ObservePoint, honestly, is the ability to look at the information, especially when something doesn’t go according to our expectations. In our previous platform, I would oftentimes get notifications that something had failed. But to extract what had failed or why it had failed was very tedious. It was not a good user interface or wasn’t a user interface. It required retrieving logs and really drilling down into unusable data or information. Pulling out the information of what failed and why it failed was very tedious. With ObservePoint, one of my favorite things is that when something fails, not only do I get a notification that it failed, but then I can get into the ObservePoint platform, and I can really explore what happened. I can see the failure point. That helps me problem-solve much faster, much more efficiently. For me, the user interface of ObservePoint is the main difference that makes me like it so much, and it makes it easier to use. 

Aaron Burnett: Yeah, so we’re doing something very uncharacteristic of any company, but particularly a marketing company. We’re talking about why we developed our own technology and then switched to a different platform rather than using our own technology. But we are committed to best of breed, the best solution out there, and we found somebody else’s solution was better than ours, and so we use it. As you shifted to using ObservePoint, what were you able to see? What did you discover as you began to implement it for clients that was maybe novel or surprising and hadn’t been visible before? 

What You Discover in Your First Audit 

Emily Brooks: What I loved about it right away was that initial audit. If I point it to a website and I say scan ten pages or a hundred pages, once that scan is complete, I have all this information to work with. Now, not all of that information is relevant for every client, but it’s just a plethora of information that I can dig into depending on what matters to the client and what we’re trying to achieve. A lot of times in our case that is a compliance interest, and in other cases it may not be. I can then kind of shape that data and find the story that I want to tell or that I need to find out more about. That’s what really was intriguing about it from the onset. It was just, okay, look at all this information. Now what do we need to know? What can we extract from it? 

Aaron Burnett: You talked a little bit about the business case for compliance monitoring. Compliance monitoring is really the tip of the spear in ensuring that consent state is being respected, right? Compliance monitoring often is a companion to consent management platforms to ensure that the consent that is recorded or a lack of consent is then followed through. That tracking pixels don’t fire for people who said don’t track. There aren’t things implemented on a site that nobody knew about, but somebody published a webpage and accidentally included some of those trackers. Can you give us a little bit more of a sense for the business case for using a third party or external consent management platform and maybe some of the other things that are surfaced by compliance monitoring platforms aside from consent state? 

Michael Wiegand: Yeah, that’s a great question. A couple things. The 800-pound gorilla in the room in terms of consent management platforms is OneTrust, right? Lately, a number of our clients have been adopting OneTrust. They got a very early head start when things like GDPR went into place in 2018 in Europe, and they’ve continued to branch out their use cases around user consent up until now, including things like CCPA and other domestic laws here in the United States. They’re making sure that they can deploy the correct opt-in or opt-out model in the way that people interact with cookie banners. How that translates to a monitoring tool like ObservePoint is they have a way to run an audit such that you can have their scanner, their crawler, either approve all cookies and accept the banner, or you can have it deny the banner. You can see the two states of what happens in ObservePoint when they’ve either accepted or denied. That shows you a very sharp picture of the ways in which you’ve honored the user’s consent and the ways in which you haven’t. That allows you to look at things like cookie groups, including analytical and advertising pixels, as well as things that are deemed as strictly necessary or functional cookies. Are those really things that are trackers in disguise? That allows you to group all of those things together and put some data governance in place that allows you to control that consent in a very tight manner and make sure that you’re honoring it when the users interact with the banner. 

Aaron Burnett: Emily, from your perspective, why is it important to use a third-party compliance monitoring platform rather than the auditing capability or the monitoring that is built into, let’s say, a OneTrust or another consent management platform? 

Emily Brooks: I think what I see is that I have one platform that monitors a lot of different activity. Rather than OneTrust just telling me what OneTrust may be doing, I have a tool. I have a platform in ObservePoint that is telling me what a lot of different things are doing. I have sort of one source of truth that I go to that’s an independent observer of what’s going on the website. 

Michael Wiegand: Not allowing your consent management tool to police itself, I think is a very interesting concept here. Having a trusted second set of eyes on what’s happening with your consent rather than this user opted in, this user didn’t and showing all of the downstream sort of knock-on effects from that. That means that they’ve been shown these tags and these cookies. 

The Reality: No Website Is Ever Fully Compliant 

Aaron Burnett: I interviewed ObservePoint’s CEO. He told me, and I’ve heard him say elsewhere, that not once in the history of the company have they audited a site and found it to be fully compliant. I think our experience has been similar, at least for organizations that don’t have our HIPAA compliant data solution in place. How common is it, Emily, that we first start to run a compliance monitoring solution like ObservePoint and what we see is a surprise to the organization and to us? 

Emily Brooks: I really don’t have an expectation of what I’m going to see. If anything, it’s okay, tell me what’s happening. Then like I said before, what do we do with this information now? I guess I’m not really surprised because I’m just expecting that we have to figure this out and we have to see where they’re at. It’s like a starting point. We talk about in the ultimate guide, we talk about the baseline and forming that baseline. That’s what I look at those initial audits to be. It’s telling us the story of what’s going on with the website and then how are we going to use that information to then tailor or design the monitoring that we need in place for that particular client. 

Understanding Technical Debt Through Compliance Monitoring 

Michael Wiegand: The way websites get built is often a patchwork of many different people over many different years contributing to code bases. You get to see all of the technical debt that’s been built up over time. When you run that first audit and compliance monitoring, you get to see all of the pixels. For example, many websites still have the old Universal Analytics Google tags on their site many years after Google has deprecated that tool. It’s a great identifier of all of this historical data that you have to excavate and help yourself get rid of and acknowledge with your development team. 

Emily Brooks: I would say too, the surprise comes when you have your audit and you have your rules and alerts and everything in place, and then you get a notification that something’s failed and you’re like, wait, this wasn’t there yesterday, or this was working as expected yesterday. Why now? What’s going on? Then you have to do that investigative work to see is it something wrong with our configuration? Is it something that maybe, to Michael’s point, somebody, a developer on the client’s team that is maybe a few teams removed from us, deployed something that broke our configuration or conflicts with it? Then you’re like, oh wait, this is surprising. How do we fix it now? Or what needs to happen? That’s usually where the surprises come in. 

Aaron Burnett: In implementing a compliance monitoring solution, who are the stakeholders on the client side with whom we need to work and who we can support? The self-evident thing is, all right, this is compliance monitoring, so we’re going to work with the compliance people and maybe have some contact with the marketing team. But who are other constituencies that we can support with compliance monitoring and auditing? 

Emily Brooks: That’s an interesting question for me because I tend to answer like Michael and Ernie are my stakeholders, I would say, because they’re the ones that are configuring Tealium. They’re the people that tell me what we need in place, what’s important to this particular client and for this particular compliance. They’re my stakeholders to be truthful internally for what services we’re providing to the clients. 

Who Your Stakeholders Are Beyond Compliance Teams 

Michael Wiegand: Ultimately, we are answerable to the client’s marketing teams and their development teams, IT teams sometimes as well. Ultimately, we convene as a group. We put together a story of why our audit failed and what we think is the root cause. Then oftentimes we’ll have to hand that off to a third party within the client’s organization to actually address some of those needs. Sometimes we have control of it within our tag management platforms, Tealium or Google Tag Manager, as Emily mentioned. But oftentimes, it’s a relic of the client’s code base from years or months ago or something they newly implemented that we have to work with them to get addressed. 

Aaron Burnett: It’s my sense that a compliance monitoring platform serves at least four constituencies. Legal and compliance, always, but now more than ever, because of the requirement to document compliance state and data flow on a routine basis as part of maintaining compliance with HIPAA guidelines. Marketing obviously, and then also web dev engineering because of all of the rich information, the diagnostic information and the implementation implications for web dev and engineering. So,it seems like a platform that serves a number of different constituencies within a client organization, as well as our own stakeholders who are configuring tag management and that sort of thing on behalf of our clients. 

Michael Wiegand: In the case of ObservePoint, that extends even out to UX and UI teams as well. There are a lot of reports within ObservePoint that allow you to look at the core web vitals of the pages that you’re scanning as well as things like site speed too. It does give you just a myriad of different things for different stakeholders. 

Aaron Burnett: We have our own little love affair with ObservePoint. We like ObservePoint a lot. But there are other compliance monitoring and auditing platforms out there. Give me a sense of the marketplace alternative solutions available either by name or by type and sort of the trade-offs involved. 

Alternative Platforms in the Compliance Monitoring Marketplace 

Michael Wiegand: Yeah, couple things around that. First is there are some holistic observability platforms like Locker and DataTrue that offer similar kinds of feature sets to ObservePoint. But those, I would say ObservePoint has a pretty substantial lead in terms of their reporting suite and their API. They’re really the market leader in terms of the overall observability platforms. There are some platforms that are more tailor-made towards marketing tag inspection, and there’s one in particular called Tag Inspector developed by InfoTrust. That allows you to look at how your tags are firing alongside various frameworks around HIPAA. Most of the other tools out there do one slice of what the core observability platforms do. Either tracking tags specifically, cookies specifically, but not the whole picture. But it might work for some marketers that just need a lens into tags specifically, and they don’t really care about data layers or other things like that. 

Aaron Burnett: My understanding of the implementation architecture for compliance monitoring is that the solution sits outside of the MarTech stack or the engineering stack for the organization and runs independent of it. Is that important to efficacy, and if so, why? 

The Advantages of Outside-In Monitoring Architecture 

Michael Wiegand: I think the outside-in approach offers a number of different advantages. It’s similar to the way that something like Googlebot would scan the website in the same way that LLMs are now crawling websites. So,it is discovering your site in the same way that these other search engines and crawlers would. It’s a very natural flow into how users would experience it and discover it. The other piece too, again, is that some of the other auditing tools that might be built into a CMS, for instance, or some of these other third party tools that require you to install some kind of tracking pixel on your site, is you have a little bit more latitude and control and it doesn’t require a huge lead time in terms of startup. The one thing that we have run afoul of is oftentimes some IT monitoring tools will see the crawlers coming in from the outside, see that they’re hitting a lot of pages and doing a lot of scans and block them unintentionally. That could be one drawback of using the third party. But by and large, it allows you to get a great picture of the landscape without additional internal dev work necessary to stand it up. 

Aaron Burnett: Emily, what are some important things that people should know before and as they implement a compliance monitoring platform? 

The Learning Curve and Getting Maximum Value 

Emily Brooks: A learning curve is involved. I think that it’s particular to diving into something new. When we were moving away from our own in-house solution, I wanted to just put in some URLs and hit a button and let it work for me. It does that. But there’s also a learning curve involved to really get the most benefit from whatever the platform is that you choose. I would say, I think of it like Photoshop, which is a very robust tool, but there is an element of learning that goes into it so that you know exactly what can be done and how to do it. I think just putting in that time to get the most out of the platform that you choose is really important. I’d say what I enjoy about ObservePoint is that we have the broad spectrum of audits and then we have the narrow spectrum of journeys. We have these two different monitoring tools that we can set up so that we have something that’s very wide about what’s happening throughout the website. Then we also have something that we can tailor to a very specific user journey. I think having that duality of those two monitoring avenues is also very important to what we are trying to do. 

Aaron Burnett: That’s very interesting. So,you’ve mentioned this broad compliance monitoring and this narrow user journeys. Can you talk a little bit more about user journey testing and monitoring, what that delivers and what sort of value we derive from that information? 

User Journey Testing: From Broad Audits to Narrow Monitoring 

Emily Brooks: Specifically, what comes to mind as an example for journeys is making sure that we aren’t passing any PHI in a URL, for example, as a parameter. Something as simple as my name and my date of birth or my email or something is a very specific, clear journey that we run and it just says, yes, you’ve cleaned your URL when you send this data off. Something like that is very specific and it’s a one-step journey, making sure that we are not sending out protected information. 

Aaron Burnett: Can you, in similar fashion, use, in this case ObservePoint, but another, maybe even another compliance monitoring platform to test particular user journeys and ensure that their functionality, their efficacy remains high quality? There’s not a problem, for example, in a conversion flow or something like that. 

Michael Wiegand: Yeah, there’s a couple different use cases. One is we like to use journeys to look at conversion flows. Things like can a user participate in a purchase on a site or fill out a lead form and do all of the right tags, network requests, and pixels get sent in accordance with their compliance at each stage of that journey. Then we also do get, as part of the larger audit, if a scan or a page fails to load, we can also record that sort of experience on the part of a user and be able to detect really quickly, okay, there might be a problem with the website. We need to dig into why certain form technologies might not be working or why certain pages may have gone down. 

Aaron Burnett: Emily, I’ve got another question for you. When a compliance monitoring platform is set up, how near real-time are the alerts? Is that something that is configurable so we can know in seconds if there’s a problem? Or is this more of a batch processing kind of a thing and we’ll know once a day or at the end of the week? 

Real-Time Alerts and Response Times 

Emily Brooks: It depends on how often you’re running the audits, and that’s your choice. If an audit runs and there’s something that fails within that audit, I will be notified when the audit ends. I get an email straight away that something’s gone wrong, and then I can investigate. The cadence that we find works well for most of our monitoring is daily. If something fails, I would know that day and then would be able to troubleshoot straight away. On other things that might present a little less risk, I might only run those twice a week, but again, as soon as it fails, I’ll be notified. Then in some cases, like with the journeys, for example, let’s say it runs and it fails and I’m not able to get to it or troubleshoot it straight away. If it runs again and succeeds, then I’ll be notified as well that it’s been corrected. Or if I implement the solution and I run it again manually and say, okay, let’s test it again, and it fixes itself, or it’s been fixed, then I will be notified right away that it’s now working again. That’s what makes the alerts and the notifications super helpful, because we know that we aren’t going to have downtime if something fails and we don’t hear about it for a week. 

Aaron Burnett: Having implemented ObservePoint, you talked a little bit about what people maybe need to know. You are quite expert. You had already worked with our monitoring solution. What was the ramp-up time to become proficient at implementing ObservePoint? And what did you learn along the way that others should consider if they’re going to implement a similar platform? 

Emily Brooks: I still have a lot more that I can learn from ObservePoint in particular, the platform that we’re using. There’s a lot more functionality that it can do that I haven’t tapped into yet. I still am looking forward to learning more, diving in more, and coming up with more solutions. Different clients require a different amount of monitoring and different levels and layers of monitoring. Each client, it’s been more of like a client-specific journey, I would say, to say this is what we need for client A, and this is what we need for client B. Client A took a lot longer to implement, but once I did that, then it informed what I did for client B, even if less configuration was required. I was able to take that knowledge from A and then reuse it or repurpose it for B, obviously making my work more efficient at that point. 

Aaron Burnett: We were talking about the frequency of scans and the frequency of alerts. Is there an audit log that shows there was a failure and then there was a correction? 

Emily Brooks: Yes. There’s a log both for audits and journeys, and you can easily access them and show even, there’s a visual aid that shows immediately, like in a calendar form, if I had a failure on this day or I had a failure on that day. Then generally speaking, the resolve will also show that, and it depends on how many times I had to maybe rerun something to get the fix in place. For example, especially in the case of if it was a customized JavaScript that I was using in a journey, I might have to rerun it and then I’ll have my little visual aids that show that I had a few fails, but then ultimately I got my green check, which means that it was successful again. But yeah, very easy snapshot visual aid to show the history of it. 

Getting Started: First Steps and Time to Value 

Aaron Burnett: For those who are considering implementing a compliance monitoring and auditing platform for the first time, what’s step one? And then a follow-on question, what’s elapsed time from, all right, I’ve made the decision we’re going to do this, I’m implementing a platform, how quickly are you going to see value from implementing that platform? 

Michael Wiegand: Some of the things that I would assemble before you go into picking up a monitoring tool or an observability tool, get a real understanding of your highest trafficked pages on the site, the ones that are responsible for your highest amount of lead volume and or revenue. Start there. Build some bespoke views that look at both the compliance aspects of those pages and also how effectively you’re tracking from a marketing standpoint on the various tags that are firing there. That’s going to get you the most value. Because if any of those pages fail, go down for any reason, that’s missed revenue. I think that’s a clear place to start. The other things that I would take stock of from there is the people that are working on your tag management platforms or the people that are working on your consent management platforms. Get those stakeholders in the room, understand what they’ve configured in each of those areas, and then build some audits and journeys in your observability tool to really help you maximize your outside-in view into those tools’ effectiveness. 

Aaron Burnett: And Emily, do you have a sense of a client, a company has gone through the review process? They have decided this is going to be our platform from the moment of decision to the moment of seeing first results and getting some value. Do you have a sense for the amount of time that’s elapsed? Is this a, hey, we’ve decided, we’ve implemented and we have value within a day, a week, a month? Is it a big IT project and it’s six months? 

Emily Brooks: You could see value within a day by starting out with an audit, putting in your URL, telling it to scan anywhere from five to a thousand pages. You could immediately start to see all of the activity that’s going on in your website, and then that would help you start to formulate your strategy of what you need to implement from there. I would also encourage people to share this tool with other departments or other team members and inform them of what you’re investing in, because it could actually solve for a lot of different needs. If other people are aware that you’re using it, they may find a way that they want to use it as a solution for something they’re working on. Right from the onset, you can, if you share the news about it and you get people involved and you run that initial audit, for example, you could start having valuable information from that initial starting point. 

Aaron Burnett: Can you give examples of some of those other needs that this kind of a platform might address? 

Emily Brooks: Yeah, exactly. I think that’s really the broadness that this monitoring tool that we’re using or that other tools do. They solve for a lot of different problems. When we first implemented ObservePoint, or we were first transitioning to ObservePoint, for example, we had an event with one of our clients where their event that was supposed to fire on the purchase confirmation page of their e-commerce website had failed, had broken or fallen off, and we didn’t learn about it for over a week. That really impacted our digital advertising team. When I was playing around with ObservePoint in the initial days, I was like, I think we could maybe check for this with this new ObservePoint tool that we have. It’s a client that we have that has two e-commerce websites and we were able to set up a user journey, which is actually very extensive. It goes from landing on the product page to entering the quantity of what you want to order, hitting checkout cart, and then entering all of your user information that you would if you were making the purchase, such as your name and address, clicking what type of purchase you’re going to, how are you going to pay for this? Very extensive. It’s like a 20-step user journey all to get to the final purchase page confirmation that says your purchase was successful, and then ensuring that pixel is still firing. That runs every day because when that fails, time is of the essence. We can’t, it doesn’t do us any good to learn about that a week later. In fact, it’s harmful to learn about it a week later. Now we will learn about it that same day and then be able to fix it. 

Beyond Compliance: Unexpected Use Cases 

Michael Wiegand: I’ll give a couple more examples too that are out of the compliance and typical observability realm. The first is we’ve been talking to clients a lot about accessibility standards and one of the things that we can scan for is whether or not we failed certain accessibility checks, whether there’s high enough contrast between colors on our site and whether or not our site would work properly with a screen reader for those that are visually impaired. Being able to pass those checks too I think takes away from some potential lawsuit risk and also helps you just deliver better experiences overall for a broader set of your customers. The second case is around site speed. After our clients have implemented new sort of personalization features on their site, we were able to detect that they had taken a performance hit and they had seen some slower loading speeds on a lot of their key landing pages. That helped us think a little bit more thoughtfully about how we want to deploy those sort of personalization features for customers and what the trade-off is between performance and ultimately revenue from those pages, right? The perception of the user when they land and those pages load. Those are just a couple of different ways that we’ve been able to find some additional utility out of these observability tools. We haven’t really talked about the brass tacks of what a tool like this costs and what sort of pricing model they operate on. I think that’s really important because instead of having a minimum annual fee that you’re charged for the use of this platform like some other scanning platforms, you pay as you go with the number of scans that you’re doing for a lot of these tools. That becomes really critical for you to just dip your toe in the water. You spoke earlier, Aaron, about the time to value from these tools. When you can buy in at any sort of level you want to and there’s a very low minimum threshold for what sort of scans you want to run, that helps you realize that value a lot faster and understand what the tool is capable of, even at very low levels of investment. It’s not expensive to start and you can get a lot of value. 

Aaron Burnett: It’s almost unique in that it’s the one space where cost versus value returned is very nicely asymmetrical. Cost is low, value’s very high for relatively low investment, particularly that initial investment and initial implementation and the value delivered there. It only takes one letter from an enterprising attorney for your cost equation to change dramatically. You’ve both been fantastic. I really appreciate you taking the time to speak to me and to shed a little bit more light on the world of compliance monitoring and auditing. Thanks a lot for your expertise and your insights and for spending this time with me. 

Michael Wiegand: Yeah, it was a pleasure. 

Emily Brooks: Yeah, thanks for having me. Appreciate it.