Episode 49: How to Navigate Shifting Compliance Rules Without Sacrificing Performance 

Richard Chapman spent nine years as chief privacy officer at the University of Kentucky HealthCare System before founding Cyndelos. In this episode of the Digital Clinic, he joins Aaron Burnett to explain how compliance risk has moved from regulators you can follow at the federal level to state-level regulations and private attorneys you can’t anticipate. Marketers now have to contend with a patchwork of privacy laws across 21 states and counting, plus a rise in civil actions and demand letters that often invoke antiquated laws written before the internet existed.

Aaron and Richard talk through what marketers can actually do about it, from understanding what’s really running in your marketing stack to building a privacy-first approach that protects compliance and performance at the same time. Their shared takeaway: the technology is the easy part. The real challenge is getting marketing, legal, and compliance teams aligned.

Listen & Subscribe:

Introducing Richard Chapman 

Aaron Burnett: Welcome to “The Digital Clinic,” the show where we dig into what actually works in digital marketing for healthcare and med tech, the strategies, tools, and thinking that move the needle when the rules are tighter, the stakes are higher, and that’s the way we’ve always done it is no longer a viable answer. 

And that’s what we’re getting into today. Most healthcare and med tech marketers think of compliance in a regulatory context. You pay attention to federal guidance. You follow that guidance, remain compliant and out of harm’s way, and that used to be enough. But as today’s guest points out, clear federal guidance is in short supply these days. 

Instead, med tech and healthcare marketers need to understand and comply with a growing patchwork of state-level privacy regulations in 21 states and counting so far. And they have to contend with the rise in civil actions, demand letters from private attorneys, frequently invoking laws that most marketers have never heard of in states they may not even be targeting, antiquated laws written before the internet even existed. 

Richard Chapman spent nine years as chief privacy officer at the University of Kentucky HealthCare System before founding Cyndelos. He’s an attorney, a certified privacy professional, and information security professional, and what he’ll tell you is that compliance risk in healthcare marketing has shifted from regulators you can track at the federal level to state-level regulations and attorneys you can’t anticipate. 

Here’s our discussion. It’s a good one.  

This podcast is sponsored by Wheelhouse Digital Marketing Group. Wheelhouse provides exceptional performance marketing for healthcare and medical device manufacturers. Every Wheelhouse client saw record performance in 2025 even after implementing HIPAA-compliant data solutions. Find out more at wheelhousedmg.com. 

Where the Idea for Cyndelos Started 

Aaron Burnett: You were the chief privacy officer at the University of Kentucky for nine years, and you left to start a company. What is it that you saw at the University of Kentucky that made you think, “Oh, there’s a gap there. Somebody needs to build this thing”? 

Richard Chapman: This issue started to come to the forefront during the fall of 2022. 

There had been a big article by a publication from a nonprofit called The Markup earlier that year, and there started to be some lawsuits, and the Office of Civil Rights, which is the federal regulator out of HHS for HIPAA, had released some guidance in December that year. They didn’t really have a choice but to release some guidance on that because the lawsuits were flowing by then. 

Admittedly, while I knew and I liked the people in our marketing department, we didn’t have regular conversations prior to that period. We would talk a few times a year, and we would talk about, “Hey, can we collect emails for this?” or, “Can we use this information we’ve collected for this other purpose?” 

There wasn’t really any regular cadence to it, so this sort of threw us off. We got together with our legal, our security, our privacy, our marketing team, and we got around the euphemistic table and said, “What do we have running on this?” And by the time we talked to our outside ad agency and they connected with the software company that had built our website, still the best we could get to is, “We think this is what’s running, but we can’t guarantee you because this has been managed by different people through the time.” 

Building Cyndelos 

Richard Chapman: It was a manual process. That’s a really long lawyerly way to say it was a manual process, and we thought we could do it quicker and do it better. And I found out we weren’t the only ones in that boat. There was still a lot of just simply lack of education and lack of understanding about what are our privacy requirements in the marketing stack. 

Aaron Burnett: Tell me about the company that you founded. Tell me about the solution that you have created and how it addresses that problem that you saw. 

Richard Chapman: We’ve had an evolution, and I’ve found out that is not uncommon around startups. One of my partners and I were just talking about this problem, and we said, “I wonder if we can build a scanner for this.” 

That was not anything earth-shattering because there were scanners out there. There were some companies already in this. But what we really wanted to do was have the output serve some of the markets that really weren’t used to this. So one of our first clients was a healthcare system, a hospital in Northern Kentucky in the Cincinnati area. 

We started helping them run reports, showing their team how to use it. It was going through the security team. And essentially, their CIO told me one day, he said, “Have y’all ever considered doing services? We really don’t know what we’re trying to interpret here. We don’t really know what it means. 

You’re giving us a lot of great information about what’s running, and you’re giving us a lot of information about what’s being collected, but we really don’t know what the impact is.” So that was a light bulb moment, but that’s what eventually has happened, and it’s been an evolutionary process. We’re more service-focused on really doing a risk assessment of the marketing stack on behalf of the privacy view. 

And we still have to explain to people what we mean, but the best way I know how to explain it is there was a time 15 years ago when I worked in healthcare where we generally didn’t run risk assessments on the web applications that were developed. And there was a time period of breaches, vulnerabilities that were found, data that was lost, till we begin to see, oh, this is a risk point. 

We need to do that. And so I think we’re early into that point as far as where I think things are headed, but there’s still a lot of education that goes with that. 

Why Compliance Adoption Has Been So Slow 

Aaron Burnett: Yeah, that’s so true. For us, when HHS came out with the new guidance in November of 2022, we thought, oh, surely healthcare organizations, med tech, anyone who is a covered entity or proximate to a covered entity will have this sorted out in 12 to 18 months. 

Everybody’s going to move fast. And we have been astounded to find, oh, no. A few people moved really fast, either ripping everything out or putting a solution in place, or some combination, but we’re astounded to still be talking with organizations today, and the conversation starts with, “Yeah, we’ve been kinda thinking about this and coming up with our position, and we’re now deciding exactly what solution we’re going to put in place.” 

Or, “We did one thing and that didn’t work, and we’re doing the second or third thing now.” It is astounding how long it’s taken for the industry and its constituents to wrap their minds around this and catch up.  

Richard Chapman: Do you think that’s because it is harder for people to understand the technology that really drives this?  

Or do you think there’s just a natural, anytime there’s something new, anytime we change how we’re thinking about something, that it just takes time for people to become accustomed to it? Is it a technology problem, or is it a willingness to change problem? 

Aaron Burnett: I think it’s a combination of probably three things, one of which you hit on already, which is, all right, to sort this out, you need three constituencies to work together in a really close way that they haven’t before. 

So you need marketing to work with compliance and legal, and for them to understand what one another does and to develop a collegial relationship that’s mutually beneficial, and then to arrive at a position on compliance and marketing that everyone agrees with. That’s the first thing. 

The second is absolutely the technology and the fact that what’s astounding is that prior to November 2022, I would bet that 90-plus percent of marketers and probably their agencies either A, had no idea what was running on the websites in terms of tracking technology, or B, and this is even more true, didn’t know what was being collected or even the means by which the controls for what was being collected. 

The guidance was unclear in 2022. There were attempts to clarify it that partly clarified and partly confused, and then there was this American Hospital Association lawsuit against HHS which the American Hospital Association won, but really what the judge said was, “HHS, you could do this, but you did it wrong. 

You just need to do it in a different way.” So it’s really unsettled legally, so I think there are probably some folks, some organizations who are hanging back and deciding, “We’re going to see how this turns out.” 

The “Wait and See” Response to the AHA Lawsuit 

Richard Chapman: I think absolutely there are, and it brings to mind a healthcare organization that I talked to, actually a few months after the American Hospital Association decision was released by the judge. 

This was a Midwestern hospital system. I will say not University of Kentucky. And what they told me was they had gotten one of the original letters from the OCR, just the sort of pre-audit letters asking what they had run, that they had answered it, and they’d never heard anything after that. 

And after this lawsuit passed and things changed and OCR backed off of their appeal, which it originally looked like they were going to do, then they told me, “We’re just not sticking our head above ground. Why would we call and find out what’s going on?” In my experience, we look to the regulators to know what our risks were in the past. 

We would look to what are those corrective actions coming out? What’s the guidance saying? But I more often than not hear from organizations after they’ve gotten a demand letter from a lawyer, or it’s in common terms, it’s often called a CIPA letter because it’s referring to the California CIPA. 

And are you seeing the same thing where people are reacting to either class action lawsuits or demand letters or individual type of actions from attorneys more so than regulatory? 

Private Actions Are Replacing Regulatory Guidance 

Aaron Burnett: You’re right. There isn’t that clarity of consolidated guidance at a federal level, so instead it’s private actions and demand letters, and in most instances, they’re being disposed of very quickly and quietly. 

So they don’t create any clarity for any other organization, because it’s in the interest of the healthcare med tech organization just to, “We could just settle this and make them go away.” “And we don’t make the papers or anything like that.” You now have this patchwork of state-level privacy regulations. 

You have 21 states so far, and others with privacy regulations that are in the legislative process, and so there is no consolidated purview. There are just lots of different takes on this, and so there’s just more and more complexity, and it’s become increasingly challenging for organizations to figure out what the standard is and, as you said, what the corrective action is. 

The Challenge of a Patchwork Legal Landscape 

Richard Chapman: It’s a potential benefit to the business, but it’s also, I think, a difficulty for the market. Anytime there’s a lack of clarity around what the standard or rules are, then people struggle with that. They try to figure out, “What are we supposed to do?” Because marketing teams understand their tech stack. 

Privacy teams understand the general privacy rules, but there’s not clarity with that. And so from my perspective, I just think in this particular area, not in all privacy areas, but I think we’re going to have to think a little bit differently as privacy officers. We’re not going to be able to go to that OCR website and say, “Is this a risk for me?” 

We’re going to have to look to either what’s happening in our state or what associations are tracking these lawsuits and what potentially do they mean for me. Individual companies like Wheelhouse, I have to imagine it doesn’t make it easier for you to design solutions for individuals. It may make individual organizations want your solution more, but how hard do you find it when there’s a lack of clarity to be able to design technical solutions around this? 

Change Management Is the Hard Part 

Aaron Burnett: The truth is that the technical solution is arguably the easy part. Everyone’s going to move very quickly. We already have a solution. We should be moving very quickly to implement as well. And what we found is that the much harder, much more time-consuming issue is change management. It’s all the conversations that you need to have with all the constituencies to arrive at a perspective. 

And then once you get to the, “Now we’re going to implement this,” that’s arguably the much easier part. I hadn’t always thought about it that way, but it’s these interactions between internal groups are absolutely necessary in this, but are sometimes the biggest barrier to moving forward with a solution on this. 

Wiretapping Laws and the Video Privacy Protection Act 

Aaron Burnett: Let’s talk a little bit about the legal landscape, and in particular the laws that are being used in civil actions to file claims against, to prosecute healthcare systems, med tech as well. 

Talk a little bit about some of the wiretapping laws and the pen register laws that are being used and then get into why that makes it even more complex for folks who are trying to remain compliant. 

Richard Chapman: Yeah, and this was actually something I’ve encountered and learned through my process in this, because when I first engaged fully on this in late 2022, I was narrow-focused on what is OCR saying about this? 

What are our requirements? What are the lawsuits that are around their guidance? If you start tracking these lawsuits, though, really what was happening on your patient portal and what you were gathering referenced some of the OCR guidance and HIPAA violations in this regard. But the one that really got me on this road of there’s something different brewing in this was the Orlando Health case that was filed, I want to say I can’t remember if it was 2023 or 2024, but it used a state wiretapping law, pen register law, as some sort of claim that you’re collecting information that you aren’t permitted to collect under this state law. 

And the state wiretapping laws really are what I think of as a little bit of a balance against law enforcement, as telephone tapping, as the ability to wiretap a la Watergate from the 1970s really became technologically possible. Some of the states created these laws around restrictions for what could be tapped, what was the process for being tapped, and some of them required, if it wasn’t a law enforcement issue, two-party consent. 

And so there have been several states where this use of this particular law has really risen to the top, and it’s been tested in Florida, Massachusetts, Illinois, California, the civil law on that. And so you’ve got that part of things. But then the other one, the Video Privacy Protection Act, has been used as well in some cases. 

And that one, this one’s new to me. I hadn’t realized this until you mentioned it. This particular session of the Supreme Court they heard an argument over whether it’s applicable to this particular use. And at the time, when I first saw that, at first blush, I thought, “What are they talking about? 

This doesn’t make any sense.” But then you think about the embedded videos that, whether using YouTube, Vimeo, or some of the other video providers, and all of those have the potential to collect data about what you’re viewing. It really is a completely new twist on what I consider a Blockbuster, that type of video law where it came about right after Judge Bork’s essentially withdrawal as a Supreme Court confirmation because his video viewing habits became an issue during the confirmation hearings. 

And after that, our Congress got together and said, “Those records should be private.” So it’s the lawyers and the firms who are looking for ways to go after this, they’re finding not just what’s here and current, but they’re also looking back to some older state laws and, depending on the jurisdiction, finding some success in certain jurisdictions. 

Aaron Burnett: So it’s a novel application of law. It’s also an interesting example of why this is so complex and hard for sometimes marketers to understand because the act of sharing a YouTube video carries with it embedded tracking technology. So even if your site is compliant and you have not placed any tracking technologies that violate your compliance posture, share a YouTube video and you have, because it comes with its own payload. 

Why Compliance Requires Cross-Functional Teams 

Richard Chapman: You talked earlier about the need for this to be a multidisciplinary solution internally for different skill sets and knowledge to come together. I remember the first time, almost right after we started the company, that I got a question about an embedded video. And the question was, “Are we going to get in trouble if we embed a video, or do we just need to put a hyperlink to the video on these sites and let people go out to that if we need to?” 

And I understood the legal part of it, but I had to work a little bit with someone who understood the marketing tech stack better to understand why were they asking about this, and what’s the implications of it? And it really does take groups with this different set of expertise and knowledge coming together to figure out what’s possible in this. 

When I worked in an academic medical center, of course, we always thought every other group was better funded than our group. And the more I’ve gone to marketing conferences, I hear from so many different marketers about they’re having to justify their existence. They’re having to justify the tools that they’re requesting in order to try to drive new customers, new patients, new people to the website. 

And I hadn’t really thought about it from their perspective, but they’re being required to produce information as to why they have these expenditures just the same as every other group. And from your perspective with a marketing company, I have to figure that’s a driving force for a lot of them, which is the more information you collect, the better chance you have to be able to justify what you’re doing and the campaigns you’ve done. 

Aaron Burnett: Yeah, that’s absolutely true so long as you are collecting the right information and you’re storing it in a manner that allows you to glean insights from it and to drive performance through it as well.

Actually, let me do this. Let me ask you a question about how you advise clients, and I will tell you what we do with clients and how we advise clients to drive the performance that you just described, because I don’t want to bias the response that you’ll give.

All right, so we’ve talked about all of this complexity, 21 states with privacy laws, really confusing guidance at a federal level, civil actions and attorneys who are using antiquated laws that would appear to be not applicable and yet seem to be effective in the courts. Given that complexity, how do you advise clients? 

What posture do you advise clients to take to both be compliant but also drive performance? 

How Cyndelos Advises Clients 

Richard Chapman: I wouldn’t say it’s flipped on its head, but those first questions we ask have changed over two and a half years of being in this business because when we first entered, we had very much a privacy-centric mindset, and I intentionally am not saying privacy-first marketing because to me that is a collaborative mindset. 

I’m saying a privacy-first mindset. And so some of our initial engagements and some of our initial advisement was around should you be running this particular tracker? This is a page that collects this type of information. Just really focused on what are the page types, what’s the information potentially being collected by this, and is it worth the risk to run it? 

Where we are evolving some, and I’m going just an hour over for a meeting on Friday with a potential client, we lead with the question of: What’s your marketing team trying to achieve here? Because we don’t know their business, and this is a non-healthcare prospect that I’m going to, and they operate in multiple states, and they sell across state lines. 

And really whatever they, whatever their marketing technology stack is operating, or at least I hope it has some sort of reasoning to why they’re collecting this information. And so as we advise clients, we have evolved, I wouldn’t say shifted, but evolved from just immediately thinking very much in a narrow privacy sense of should you be running this to what’s the organization trying to achieve? 

And now knowing that, let’s take a look at what’s running and see where we can identify high-risk areas where you really might get in trouble if you don’t change something. If we can make some adjustments, for instance, on what your cookie banner says or how it’s placed or how you’re collecting some type of consent on this, to give you a little bit more freedom in what data you’re collecting and how you’re going to use that data. 

I just think it’s a more total solution. 

Wheelhouse’s Private Client ID Approach 

Aaron Burnett: The approach that we take, particularly if we’re dealing with a HIPAA-covered entity, then it’s quite clear. The approach we take is that we replace all third-party tracking with a private client ID and private data libraries. One of the things that wasn’t well understood, I think, is becoming better understood over time, is if you’ve got third-party tracking in place, it’s not just the tracker; it’s the data library that governs what’s collected. That is not within your control. 

That’s controlled by the third party. So it’s great that you reviewed that tracker with your compliance team, and you said, “Today is Wednesday, and on Wednesday, Meta is collecting this.” But on Thursday, they might change the data library and collect something else. So it’s a movable feast for them. 

So the approach that we take is, okay, nobody gets to collect anything except via our private client ID. And the private client ID has the benefit of both control, and also it is unique to the client, and it isn’t shared outside the organization. It can’t be knit together with other things that Google knows to say, “Aha, I know this is Richard who also visited this site and watched this video,” and that sort of thing. 

And then we use technology, either our own or third-party technology, to block other trackers and cleanse URLs, and then to control down to a single data attribute level what’s shared with third parties. So we can share a conversion flag with Meta or a conversion flag with Google AdWords, but nothing more, none of the greediness that they have. 

I think what we found to be most beneficial in terms of driving performance is that the act of changing the architecture of the measurement system by definition requires thoughtfulness. The platforms offer this big green easy button. Just press this, put our tracking on, and we will tell you what’s happening. 

The problem is that they tell you what’s happening from their perspective, and it’s beneficial to them, and most marketers haven’t stopped to think, “Wait a second, what do I actually want to measure? And is it on the website or is it actually in my CRM when a patient shows up for an appointment or I get a new customer start for a medical device or that sort of thing?” 

And so as we create this new architecture, we also implement connections to other systems so that we’re measuring the moment of value creation, and then we’re pulling that into a HIPAA-compliant data warehouse. So it’s an entirely different approach to driving performance, and it also offers the benefit of clarity with regard to performance, and we also can adjust what’s collected as the regulatory environment changes. 

So okay, laws become more restrictive, less restrictive, we can adapt. If we’re operating in Europe under GDPR, that’s easy. That’s a configuration on our part. We can do that at a global or a local level. In the end, we do this in a composable way. So sometimes we’re using third-party vendors like Tealium or Segment or something else. 

Sometimes we’re using our own technology, sometimes we’re using something a client has. It’s the outcome we’re focused on rather than implementing something that is proprietary that we developed. 

Richard Chapman: Do you find any degradation in the conversion rate then with, say, a client of yours being able to target a prospect and then be able to convert them to a client and their revenue dropped as a result? 

Do you find any sort of degradation in implementing something like that? 

Real-Time Propensity Scoring Without PHI 

Aaron Burnett: Yes, if we were to continue to rely on the traditional means of targeting and tracking, that would be a big problem. But there’s just a fundamental shift in mindset and approach that’s required here. And so the approach that we take, for example, is, you’re familiar with propensity modeling? 

Yes. So for the uninitiated, propensity modeling is typically used to define the demographic and sometimes psychographic characteristics of an audience you’re trying to reach, and then you use it to go to a third party and to identify an audience that you want to target, and then you get that audience data in a compliant manner and you can go after them. 

And that has value, but it’s a slow cycle model process. You go get an audience, you target them, if that works, and then you do it again. The approach that we take is that we’ve built a real-time propensity score that occurs at the moment of form fill or appointment booking or that sort of thing for a client, and then because of the data architecture we’ve created, we can transmit that score in real time to the platforms. 

So every time there is a proximate conversion event, we’re saying, “That was a good one. That’s worth 99 out of 100. That was worth 10 out of 100. This is worth 49 out of 100.” And we’re not sharing any PHI. We’re just sharing a score that says, “More like that, less like that, eh, that one was kind of middling.” 

And that has allowed us to drive phenomenal performance. That’s not a mechanism, that’s not an approach that was available or, to the best of our knowledge, used previously, but it’s one that’s tremendously effective and just very different than the conventional way you would go about achieving that sort of outcome. 

HIPAA vs. State Law: Different Privacy Standards 

Richard Chapman: When I think about the marketing requirements around state law and the marketing requirements around HIPAA, there’s some differences to them from a privacy perspective. There is a lot of leeway given on state law when you give notice. That’s why you see so many cookie banners around today, because you’re collecting consent for somebody supposedly reading that, but admittedly we seldom do. 

Whereas in a healthcare setting with HIPAA, even if you’re in a secure compliant container, there are still restrictions on if something gets termed to be PHI, whether you can use it for marketing purposes, which is another gray area. Have you run into that with any healthcare organizations, a compliance side questioning that? 

Because I can see how you can get through with your model in a way that would be compliant. But I also think, just the same as I have trouble sometimes explaining to privacy officers what we’re trying to achieve, I can imagine that sometimes it’s a little bit of an education process for you to explain that. 

Aaron Burnett: It is. That’s absolutely true. We haven’t run into those objections, but what also is important to understand is that we operate under BAA with our clients. And so we have the same sort of access and the same sort of obligations around that data that our clients do. 

Balancing Convenience and Privacy 

Richard Chapman: But on the other hand, there are those stories out there where unintended teenage pregnancy, there’s that classic story of where one of the major pharmacy chains picked that up, and suddenly this teen, to their home address, was getting mailings about pregnancy type of goods and services. 

In my mind, I’m always running through how we balance the conveniences like we get with Amazon versus those things that we may individually not want others to know. And I have to admit, I still haven’t come up with just one silver bullet on it all, a one size fits all. But it does seem we’re in that challenging area where eighty, maybe ninety percent of my healthcare, I don’t care if it’s blasted on national news, but that ten percent I don’t want anyone to know. 

Aaron Burnett: We take a very conservative approach, and we don’t use any of it. So again, even with propensity modeling, we’re just indicating more like this sort of a person, not this person specifically. We’re not going to remarket to that person. We’re not going to target them for anything else. There’s no follow-on activity that will occur for that person. 

It’s just somebody that looks and feels and is this, is the shape of that person. Otherwise, we’re very conservative about remarketing, retargeting, any of those sorts of things and using any of that data. Because again, under BAA, we have exactly the same obligations as the healthcare provider does and are subject to exactly the same penalties they are as well.  

Where Privacy Regulation Is Headed 

Richard Chapman: Do you have any sort of thoughts about just overall where we’re headed privacy-wise, either at the state non-healthcare level, the healthcare level? Because I’ve tracked and talked to people, contacts of mine in DC for years about federal privacy legislation, and not that I have any unique insight into this, I don’t, but even with this latest run at it from the House of Representatives, I don’t think we’ll see federal legislation anytime soon. Or if we do see federal legislation, it’ll be pretty weak in terms of this. But we’re collecting more and more data, and so the more data we collect about people’s behavior and what they do, the bigger the need, in my opinion, for some sort of framework around what can we collect and what can we do with it. 

Do you see it getting any easier anytime soon? 

Aaron Burnett: No, I don’t see it getting any easier. Our thesis is that privacy regulations are coming for everybody. And all right, they’re brought to bear most stringently for healthcare, med tech covered entities and proximate covered entities. But we believe that more stringent privacy regulations will come for every industry. 

Starting with the logical extensions, financial services. It’s already there somewhat for pharma. It will be there more for pharma. And so part of the reason that we have focused what we know how to do in this area is, A, we know how to do some things that are hard for other agencies. There’s a bit of a moat around it. 

But we also think that what we do and the way we do it is the way that you’re going to have to transact digital marketing in the future and that just makes sense. And I think, because you’re a bit of a history buff, you’re aware of these bad events that took place over time that catalyzed privacy regulations. 

Okay, we’re in the era of more and more data being collected and LLMs making a lot of that data available because they’re harvesting that data and surfacing it in ways that are nominally accurate, but sometimes hallucinations. It will only take one or two catalyzing very bad events for there to be new scrutiny and new attention paid to this particular context and that particular context. 

Now that’s going to be digital advertisements on the home computer or the name and situation of that person appearing in an LLM for some reason because data was not governed in the appropriate way. So we think this is just the way things are going to go and that privacy regulations will become, and this is not new language on my part, that the notion of privacy and keeping your data private will become at least close to a notion of a human right, that you have the right to establish and protect your integrity and the integrity of your identity from other commercial and governmental interests. 

Aaron Burnett: Respect of privacy, data privacy, will become a brand attribute. 

Richard Chapman: That’s a pretty cool idea. I like that. 

Aaron Burnett: I do too.  

The Takeaway for Marketing Professionals 

Aaron Burnett: For healthcare and med tech marketing leaders, the practical takeaway from my conversation with Richard is this: compliance standards and risk avoidance are no longer defined solely by federal regulators. 

It’s happening state by state through legislation and legal action, some of it public, but much of it occurring via private demand letters and quiet private settlements. Nothing is public. Nobody learns anything. Responding to that shift requires legal compliance and marketing alignment that’s new for many organizations. 

It also requires a clear understanding of the tracking and martech in operation and the risks and possibilities they create. Richard Chapman can help. You’ll find him on LinkedIn and at Cyndelos.com. I’m Aaron Burnett, and I’ll see you next time on The Digital Clinic. 

Sponsored by Wheelhouse DMG