Digital Tracking Technologies & HIPAA: Latest Updates and Ongoing Risks

Read the Full Transcript

Stewart Gandolf

Hi, everyone, Stuart Gandolf here for another updated podcast about digital tracking technologies and HIPAA regulations along with class action lawsuits and all kinds of other very sort of disconcerting and concerning issues that we have to talk about in our world today.

So today, I've invited my colleague, James Corr, who's Head of Partnerships with Freshpaint. And so, James and I have met recently.

We were working with Freshpaint since last year as a partner. And so today I wanted to do an update.

We've done podcasts on this. James, as you know, we've done eBooks on this, but a lot of happens in a year in the world of healthcare.

So, as we wrap up the end of 2024 and begin 2025 here, I wanted to talk about what's new and current.

So just as the headline here for listeners slash readers who aren't aware with this back in 2022, so many things happened that caused the office civil right to bring in big lawsuits, or I'm sorry, bring in big cases, along with the FCC.

FCC's been involved office civil rights, and there's also been class action lawsuits. And James is going to talk about all that in just a moment, but this all comes back to the Facebook pixel, Google pixel for Google Analytics and other digital tracking technologies.

So, this is an area that you should be aware of. And so, I've asked James today to talk about kind of the history of all this, what happened, where are we now, where are we likely to go.

So welcome, James.

James Corr - Partnerships @ Freshpaint

Yeah, thank you for having me, Stuart. I really appreciate it and excited to talk about everything that you just mentioned.

Stewart Gandolf

Okay, right. Yeah, there's a lot there. So ,the big picture, I think going back to the headline, let's just talk about what the main takeaway people should have before we even go into the details.

what is the, what is the concise message that you're like, if people walk away with nothing else,  they it would be what

James Corr - Partnerships @ Freshpaint

yeah great place to start so if there's one thing that I want you to walk away with here today it's kind of at the root of everything that we're talking about that is simply that if if you are a covered entity a healthcare marketer today and you have a Google advertising campaign and meta and google analytics on your website you are in a risky place as it relates to protected health information and sharing that with those third parties.

We'll talk and dive into all of the specifics but I think that is the most critical element that I want everybody to walk away with that it is a concern as it relates to protected health information and the HHS or Health and Human Services it is concerned about this as it relates to HIPAA violations so I'm not a lawyer none of this is legal you know advice or anything like that but I can tell you that we have many, many customers that agree with our worldview around protected health information and can help you govern that data between you and a third party to help reduce your risk and protect patient privacy and allow you to perform those marketing activities so you can alleviate that risk.

Stewart Gandolf

So when I underscore what you just said there and it's my bad, I must always start with that disclaimer, not attorneys here, I'm not giving legal advice, I'm not qualified to give legal advice and even if I was, I wouldn't be giving a general advice, right?

So we suggest you speak to your own counsel. I will in the on the post itself include some links from leading law firms that beyond just, you know, through it and James's opinion here, we want to make sure that you have you can do your own research.

So but rather than read through legal briefs, you might want to start with just the big picture and try to understand what the heck is going on.

So I would like you to bring us back to the the golden days of 2022. Yeah. But tell us about how this all began.

James Corr - Partnerships @ Freshpaint

Yeah. Yeah. Happy to. And you mentioned there's a couple of different vactors. We're going to focus on the health and human services, which is enforced by the Office of Civil Rights or OCR.

So I'll use those HHS and OCR acronyms a little bit as we kind of go through things. At the end, we'll maybe we'll come back to some of the other areas that we hear our customers are worried about like class actions, state level privacy laws, ultimately just losing trust in the marketplace and their communities.

Those are some of the other places that our customers are commonly telling us that they're worried about in addition to slash separate from the HHS and HIPAA violation.

But coming back to it and just kind of focusing in and talking more about HIPAA violations and HHS and kind of how we got here.

So, as you mentioned, we'll rewind the history books here and go back to many, many years ago in June of 2022.

actually The Markup did a big investigation into Facebook tracking and this was kind of like a big event in the industry that got hosted and got a lot of interest from various places.

So at the time, know, the HHS hadn't said anything but between that article being published and then the end of the year there was a bunch of lawsuits filed against meta against Northwestern, UCSF, Advocate, Aurora, Duke, a bunch of health care systems that were using Meta to do marketing that had a bunch of privacy concerns.

So at the end of 2022, I can't tell you for certain but it's my belief and Freshpaint's point of view that a variety of things but a lot of these being the lawsuits that I just mentioned and that The Markup article in particular helped the HHS provide their guidance later in 2022.

So December of 2022, the Health and Human Services versus puts out this guidance, and the key thing, the key element that I'll highlight here, it's quite a long guidance, but in summary, the way that we approach things and the concern that exists for healthcare marketers today boils down to sharing protected health information with third parties that you do not have a business associate agreement with, or BAA.

And a BAA is really just a fancy way of saying a contractual agreement that with some third party that you're going to share sensitive data with them, and they're going to share in the risk, liability, take care of that data.

So if you do not have a BAA with a third party that you're sharing data with, immediately it should be a concern to you as a healthcare organization.

And specifically what the HHS has said is that these web tracking technologies have access to too much information. They didn't say you can't do advertising, they didn't say you can't understand what's happening on your website using an analytics tool, what they said is that these third parties, these web tracking technologies have access to too much data.

And when I say too much data, I'm really talking about protected health information. And the way that the HHS defines it as it relates to web tracking technologies is that it boils down to kind of two pieces of data.

So it's identifiers. that's things like a name, a social security number, amongst other things like device ID or an advertising ID.

So there's about 18 of that that the HHS has clearly defined that in addition to health information. And health information was really the more talked about topic when this was published.

Because this is where things really came to things kind of changed. And what they just said is that health information is now a URL.

It can be the name of a conversion that you're sending to these third parties to say that somebody did something, it can be a page title, it could be the title of a video.

All these things are very commonly tracked and or accessible from the browser through these web tracking technologies. So to summarize, what the HHS said in December of 2022 is that there is a concern as it relates to HIPAA because these web tracking technologies have access to protected health information and we don't have the safeguards in place with these third parties.

So they have access to identifiers and health information together and that is a cause for concern for us.

Stewart Gandolf

So I want to jump in here. That period, as soon as this came down with the OCR guidance in December of 2022, we became aware as we started looking for research, nobody knew what to do at that point.

And I call it a national locker room that we have a relationship with, because before. healthcare, right? So, and I spoke to one of the key attorneys, and he didn't have time to represent us because he was actually involved in defending some of these hospitals, so he couldn't go on the record.

And, but he did give some really interesting insights there. And so, I think that out of everything he said, which is all true, the one thing that was, you know, there's a couple things that were maybe unprecedented at that time, at least when I remember from the conversation, one was that the OCR came out with this guidance without really getting input from the industry.

so, he said, that's really unprecedented, and that's surprising. And then the other thing, and so he was, you know, at the time, he was like, you know, we don't know where there's this going, we have no idea, but we still don't really know, we'll get to that in a sec.

But the other part of it that was, the one thing I remember from that call, especially, was the idea that the IP address was protected information of is, or that you could, and, you know, and the idea of that, and we'll talk again about this a little bit more a little bit later.

But, you know, the people in the industry were saying, wait, an IP address doesn't necessarily have to be an individual.

how would anybody find that in all these things? it wasn't. It was, there was a little bit of, well, there was a lot of confusion surrounding this topic.

And there was some confusion, too. And then jumping into 2023, this was the topic at a lot of the conferences we were going to in healthcare.

So we went to SISHMD that year. I think HJC was the part of this in the forum. These were, you know, the topic everybody was talking about.

And you know, I'd love you to talk about, you know, during that period in 2023, I mean, some people just stopped tracking, some people stopped marketing, like to expand on that a little bit more of this area of deep uncertainty.

And by the way, during this period, just from our own side, we were doing a lot of due diligence, tens of thousands of dollars of consulting fees, man hours and attorney fees, to sort out, you know, like who we partner with and how.

So I'll come back to that. But James, I'd love you to- to give some insight on how that year evolved and the important events during that period.

James Corr - Partnerships @ Freshpaint

Yeah, yeah, and I'll say that your team's done a great job at really diving in and partnering with us on all the things that we're talking about here too, to come back to 2023.

So a couple things happened that year that are noteworthy. CCPA, so that the California Consumer Protection Act came into effect in January of 2023.

So that's kind of separate from what we're talking about, but I think it's still noteworthy. It speaks to kind of some of the state level privacy laws that maybe we'll come back to here at the end of things separate from HIPAA, it did go into effect in January of 2023.

Coming back to HIPAA and the HHS's guidance, as well as, you mentioned earlier, the FTC got involved. So in February of that year, they actually started issuing, or had issued, came to light.

some fines against better health. I believe it was in the 5 to $1,000,000-ish range, as well as a couple other companies like GoodRx and a few others.

The point being here is that the FTC started getting involved as an enforcement arm for some of the same things that we're talking about here.

In addition to that, we also saw the FTC and HHS issue a joint privacy warning around web tracking technologies, and most other cyber security threats in July of 2023, just a further emphasize everything that they were seeing and the concerns that they were noticing in the marketplace as well.

And last but not least, in 2023, the HHS as well as FTC both had requested more funds to actually go and enforce, investigate, and work on these challenges that they saw.

So they requested essentially something north of 160 million dollars to better enforce, better investigate all of these areas that were taught.

Well, again, the point being here is that they recognize the challenges that exist with technologies and what patients to be safe, essentially.

Stewart Gandolf

Yeah, I'll just bring up the important fact on FTC. By the way, James, is, you're the expert on this.

correct me if I make any mistakes in my point summary here, but I'm pretty sure I'm right about this.

So, with FTC, the noteworthy part about that is, you know, for some companies out there, we're not worried about HIPAA because they're not covered entities.

Of course, to be a covered entity, have to accept insurance. when the FTC gets involved, okay, it doesn't matter if you're covered in it because it's a whole different regulatory body.

So, that made it just widened the scope. And I'm pretty sure that's why, you know, for example, some of the companies that just mentioned got entangled, you don't even have to be a covered entity and you still have to be careful.

So, that was a big deal for sure.

James Corr - Partnerships @ Freshpaint

Yeah, great call out.

Stewart Gandolf

Yeah, and so the, so that was all happening. And during this period, Remember, some hospital systems and health, you know, businesses would just say, well, we think it's the odds of getting, you know, into trouble or slimmer is going to take versus going to risk it.

We don't have budget for what it's going to do with it. Others shut everything down and overreacted probably and took all the pixels off their website and, you know, basically did nothing.

And then some created their own custom engineering solutions. you know, you guys FreshPaint just sort of appeared over the horizon, like exactly the right time that you guys were starting late before this ever happened, but the timing of the market came to you guys.

So, you know, we engage with you guys during that period or started working with you guys at that point.

The, I guess what else is noteworthy about 20, trying to think back 2023 that that's really was just a lot of uncertainty around these technologies, people funding solutions Freshpaint is one of them.

There's other ways of doing it. There's like, you know, all kinds of sort of technical workarounds in different ways to approach this, and that's not my area of expertise, but we did research this, but we came back to Freshpaint as a practical solution.

Let's talk about 2024, just we don’t have give everybody a day-to-day blow-by-blow lesson, but so then there was a big question around the American Hospital Association and some hospitals sitting on OCR, and that would cause more uncertainty in the marketplace.

well, this is all going to just go away. more or less, there's a brief discussion about that and you know, what happened there, then we'll just switch to that.

James Corr - Partnerships @ Freshpaint

Yeah, I forgot to mention in 2023 is when, I believe, the middleish of that year, don't quote me on the date, is when the American Hospital Association or AHA had filed that lawsuit, that is also noteworthy in 2023, then the settlement happened, and the outcome of that case happened in July of 2024.

really quickly before I get into the specifics of that case and the outcome and the impact that it has on us.

I do also want to quickly mention that before that. So in March of 2024, the HHS provided an update to its guidance, essentially recognizing some of the concerns in the marketplace and trying to clarify their intent and their guidance a little bit more detailed and in a way that would help the marketplace better understand what they were aiming to do.

And I think it's worth noting in that guidance, the HHS actually notes that if you're not able to achieve a BAA with a third party, using a solution like Freshpaint or another customer data platform to do some of the things that we do, it is a viable solution for what we're trying to achieve.

So they pretty noteworthy to us that they would mention a product category. Within their guidance, we felt that was pretty interesting and provided a lot of gumption and and approval of the solution that that we were putting into the marketplace, which is as you can imagine pretty exciting to us.

But coming back to the July 2024 outcome on the AHA lawsuit, so you're correct, the American Hospital Association brought a lawsuit essentially that boils down to challenging whether not IP address collection really qualifies as an identifier, and if that should be a part of the HSS guidance or not.

So the outcome is that the AHA won, they won the lawsuit against HHS, and the HHS had to drop the IP address collection piece of their guidance from their bulletin essentially.

information. There's a lot of confusion around this. We're still even seeing it today. HIPAA is not gone. There is still very much a concern as it relates to web tracking technologies, even with the outcome of this case clear.

And so what the impact of this is of the case is that the outcome of tracking IP address is that you track IP address alone.

However, when you have IP address in addition to, say, health information or other identifiers, that is a concern. That is still part of the HHS guidance.

So it essentially, we have vacated the IP address collection when you're doing that alone. There is no concern. But as soon as you involve any other identifiers, like, again, an advertising ID or device ID, which are very commonly tracked, in addition to health information, you're still in the same place as we were, say, in June of 2024, before the outcome of this case.

determine as you work after it, the only thing that changed is the collection of IP address and IP address alone is now no longer part of the HHS guidance.

Stewart Gandolf

Okay, so, and there's, you get a, there's a, I'm not a attorney, this is a very specialized area of the law.

And in fact, in our on this page for posting the podcast, we'll post at least one, maybe several attorneys that people can call themselves.

This is highly specialized. This is not my expertise. I'm not going to ever say I'm only sharing what I've learned.

But there's a lot of nuances here when you get into these kinds of things about, okay, what does it mean if the patient does this or the prospect does this or what does it mean?

And these are outside of my scope. So I would say, um, I'd like to, um, so there, I guess as we're thinking this through, I would say number one, this isn't over.

one, I would say that. two, there's probably still going to be more clarifications down the line. I want to come back to maybe a conclusion, but before I do that, let's take a moment to talk about, we've already mentioned the FTC lawsuit.

We've already talked about OCR. haven't talked about the class action lawsuit part of this, and I haven't heard much of an update since the early days.

of course, there is, at one point, it seemed like every hospital is getting sued by a class action lawsuit, whether those had any...

How many of those actually closed and went somewhere? don't know, but that was certainly a chilling effect in the market.

Can you speak to that at all? What happened? What seems to be happening now?

James Corr - Partnerships @ Freshpaint

Yeah, I mean, we've seen some of them have closed. We still continue to get customers that come to us, or frankly, in transparency here, we'll talk with a potential customer, say, months ago, and then they come back to us now, and they, six months ago, they told us, you know, we're not sure.

now is the right time or whatever the reason may be and decide to go on their way, but now they come back to us and we ask them, oh, like, tell me what brings you back and, you know, they tell us that they're involved in a class action or something similar to that.

So still very much happening. Unfortunately, what's happening is that, you know, with technology, it's really easy to scan a bunch of websites.

you could, you could, you know, with a little bit of time and understanding you could build a piece of technology that could go look at say hundreds or thousands or millions of websites and tell you, you know, do you have these web tracking technology concerns on your site?

Yes or no? And then from that, what we're seeing is that that same person for lack of a better term here in ambulance chaser-esque type person, is then taking that information and then going into the marketplace where these, these organizations exist to provide health care, finding customers,

that, you know, were a part of, you know, a patient at said organization and then creating a class action off of that in some way, shape or form.

Ironically, we're even hearing that or have seen that they've used Facebook ads to collect these patients and then solicit them as a part of the class action.

So, yes, still very much happening. It's very much a red flag on your website that exists. These web tracking technologies and they are visible from the outside looking in unless you remove them with, you know, a platform like Freshpaint or others before they can get their data.

Stewart Gandolf

Yeah. And I would just also add in this, I don't know, when this first came out, Facebook was the focus of this.

And then, you know, sometime in 2023, people began to remember trying to remember now because it's like, it's been a while.

like, all this stuff has happened. The focus was like, wait a minute. It's the same thing. it's not just Facebook or matter, rather.

It's also, and really, Any of those little tracking technology coming on that?

James Corr - Partnerships @ Freshpaint

Yeah, yeah, I mean, absolutely. You, you know, I've said most of it there, essentially any of these third parties that you have on your website today, you should be asking yourself, first and foremost, do I have a business associate agreement with that?

Yes or no? And if the answer is no, then the question becomes, okay, what information am I sharing with them?

And oftentimes it includes both health information, i.e., you know, an URL and identifier of some shape or form that that equals a cost for concern.

So that's what you said, Meta, Google ads, Google Analytics, but it's also, you know, any of the other, you know, platforms, so Bing would fall into the same category, as well as Pinterest, LinkedIn, TikTok, all of these are common things that our customers ask us about.

We have integrations for it also extends into programmatic advertising. So, things like the Trade Desk or Stack Adapt. all of those kind of all fall into the same category of, you know, areas of concern.

Stewart Gandolf

Got it. And then, um, oh, I want to complicate this more. Let's talk about state laws. So it's happening there.

James Corr - Partnerships @ Freshpaint

Yeah, there's, there's a patchwork of state level privacy laws. So I will, I won't dive into any, any, which one specifically, but just know that there is differing levels of, of regulation dependent upon the state that we're talking about.

So for instance, um, Washington has as pretty strict laws, uh, MyHelp, MyData is what they call it.

Um, and it takes a GDPR-esque type stand so that that's a data regulation out of Europe, which is really all about opting in before you, you measure, attract any data on any user.

So that's a pretty unique case, and a really, really strict one. Most of the country doesn't have that today, but the point is dependent upon the state you're in, there's varying the state level laws, and then in some of them, depending upon, again, who we're talking about and what we're talking about, some of them exclude covered entities because they get covered by all the other things that we're talking about with respect to HHS.

essentially, it's like if you're talking about HIPAA and you're a covered entity, you oftentimes actually sometimes fall out of these regulations and fall into everything that we've already talked about.

So there's even some questions around how that works, especially for providers that work across multiple states, you're going to have to play into whatever the most strict set of data privacy laws that exist within your, wherever you serve.

Stewart Gandolf

So that's, in fact, I spoke against another attorney in this category recently, and that was, it's interesting, you know, again, I'm not giving legal advice, you know, interpreting a quick call for the attorney we work with, but the, you know, this is a pretty common problem when you have state laws and federal laws and different agencies.

these all, you know, sort of have different rules and how is it practical for any business to really adapt.

And so it's interesting that it may end up not giving promises here, we're just deferring, well, if it's OCR, we're okay.

And so that's, but that's not all defined. that's, you know, it's a confusing morass and it's frustrating. And you know, I guess as we wrap up here, without getting into, you know, the, you know, there's, we could talk about this for hours, not, it's a fun topic, but it's something we should be aware of.

The, I would say that, when we talked to clients about this, as I mentioned in the beginning here, we're not attorneys, we're not experts at like all these nuances of laws, we are definitely, you know, digital markers, we certainly understand that.

And so we've decided to take the conservative route and find a partner, in this case, it's Freshpaint, clearly.

And not that I'm like in Freshpaint here, I'm just thinking there's other ways of doing this. But for us it was the practical solution. And there's different B levels and there's obviously the scope's different, the fees are different.

And so if you're interested in this topic and working to buzz, we've got some partnership with Freshpaint. can I help guide you in some of the options there.

But I would just pick this as an insurance policy. mean, objectively, that's what it comes down to. us, as an agency, number one, I'm a conservative guy, hate taking unnecessary risk.

I take risk in plenty of places, but not in this, because it would be a catastrophic event for our clients and for our agency.

This becomes a big, big issue. So we strongly advise people to understand this topic, make their own decisions, talk to their counsel.

Again, that's why you can do this. Let's just make these pretty sketchable things. Ah, you're just trying to sell us Freshpaint.

Like, I don't get a commission. gosh. Like, that's not like this is a vow. Like, I'm a, you know, I like to think of myself as a very informed thought leader in his face.

I've been doing this for a long time, and this is just an area that we felt like we had to find a risk mitigation strategy, and it's been interesting is, you know, sort of throwing some comments in here and I'd love you to respond.

Talk to a nursing home, or I'm sorry, I have senior living categories at one of their skilled nursing facilities, but senior living business, there's a couple of days ago now.

And I thought it was really interesting we share this with every client as we're onboarding, is this something we're recommending to do and what have been, you know, all of this.

And I said, you know what Stewart, we want to move forward the marketing and the great news is we can talk to our team internally, this would be not from the marketing budget, the risk mitigation budgets they actually have a budget for.

There are some nursing facilities that they have that was like, there's plenty of risk mitigation factors. That was a really interesting insight, like, yeah, why is that coming out of the marketing budget you guys have risk mitigation all over the place you have risk mitigation for insurance your risk mitigation for, you know, legal issues.

And so to me. It's like, my life is complicated enough about an unexpected letter, so I don't know if you have any comments on that, but that's why we chose the conservative route.

We just want to make sure that our clients are fully warned, and really everybody, if they don't be a client of ours, to at least know that this is a thing and to stay and understand it and give it the due diligence that it requires.

James Corr - Partnerships @ Freshpaint

Yeah, no, I completely agree. Of course, I'm a bit biased, know, I'm working at Freshpaint, but there's a variety of reasons that their customers choose Freshpaint versus other solutions in the marketplace.

We focus on healthcare, that is our only focus, and it's a broad spectrum within healthcare, but we do focus entirely on healthcare day to day.

This is what we eat, sleep, and breathe at Freshpaint, and only what we're concerned about. To your point earlier, we've done some due diligence on our side, and I'll make sure that we include some of the content that we have from some of the attorneys that we've talked to.

Actually, we have a webinar, and a one-pager from a conversation that we had in early 2024, from David E. Drinker, and then we also did one in late 2024, after the AHA lawsuit settlement with Jennifer Plank over at Austin & Bird.

So I'm happy to make sure we include those as well. Don't just take our word for it. You can hear from some legal professionals, their interpretation of the things that we're talking about here, how those things apply, and hear a little bit more maybe about Freshpaint and what it is that we do and why we fit in and we feel we're one of the strongest in the industry as well.

Stewart Gandolf

Yeah, I can actually touch on that. Like, what is, know, without making it to an ad, obviously, but like, your approach is, and you know, why you just, you know, minute on that to help our listeners.

James Corr - Partnerships @ Freshpaint

So, a couple of things, happy to expand on that. of course, my team will be more than happy you were excited to dive into it with anyone who's interested more individually.

But for purposes of this, I think there's a couple of things worth noting here. So I already mentioned that we focused entirely on healthcare versus a lot of other platforms that are more industry agnostic.

So in and of itself, like everything that we do focuses on healthcare and covered entities and the problems and challenges that they face.

So with that in mind, there are a couple areas where we're different than some of the other things that you could aim to accomplish compliance in the industry.

So number one, I mean, just table stakes, design, business associate agreements with all of our customers to collect all of this data.

Number two, you're going to remove all of those tracking technologies from your website and replace it with Freshpaint.

So you're no longer going to have any of those red flags that exist on your sites. And we purpose-built all of the server side integrations or essentially the way that we send data to these third parties to facilitate the needs of our healthcare marketers.

So that means both, you know, satisfying privacy concerns, but also making sure that the data and the way that we're delivering that data to the third party is going to allow you to accomplish the goals that you want.

As it relates to say Google Analytics 4, for instance, that is a particular one where we have spent a lot of time effort and energy actually building our own bridge between us and them to ensure that the data that you see in GA4, you know, pre- and post-deployment and Freshpaint, looks almost identical.

There's really no drop off between the two. And then the last two things that I'll quickly mention here, number one is that we approach everything from what we refer to as safe by default approach.

So even if you set up your account and configure everything within Freshpaint, until you actually opt in and explicitly define the data that you want to share through a visual interface with a third party, that's not going to get shared with them.

So there's no engineering or development involved in that. It's a very marketer and frankly legal friendly interface. Our goal is to remove development support or development need.

So we do not approach things from a code perspective. It's very low to no code. And then we have features within the platform that allow you to set those things up easily and understand them, but also maintain and verify that they're working in the way that you had intended.

So it's not just set it up and cross your fingers and hope everything looks good. We have the ability to verify and see that data as it flows through the platform.

And you can audit that and get back logs and all that sort of good stuff. The last thing I'll mention about Freshpaint is that we've talked a lot about today about governing the data between you and some third party.

In addition to that, we also have features that exist to help in other areas as it relates to patient privacy. So for instance, some of our customers are concerned about Google Maps and the data that it has access to when it's embedded on your website and it's the same story for YouTube and Vimeo.

So embedded video. So we have features and products within our platform that can allow you to replace say Google Maps with Freshpaint Maps and same story for say Google and YouTube, you can replace that with Freshpaint Video.

And anything for translations on your website. And last but not least, we also have features that allow you to audit the web trackers that exist on your site and then monitor and manage them going forward.

So that you don't have to be the one that is constantly checking and ensuring that your income clients.

So essentially the way I like to describe it is it's important to get a handle on what risk exists today and then take care of that.

But it's just as important that in six months from now a year from now, five years from now, that if something were to change and your risk changes on your website, that something is added, perhaps you didn't know about it, a partner adds it, a vendor adds it, and you will not know about it, but ultimately you'll be the one held responsible.

We have a set of features that help you manage that, and we'll alert you if we find something new, so it constantly monitors those things on your website as well.

Stewart Gandolf

Okay, awesome. Well, James, that was a lot. Okay, for our audience, you just came away with the big picture, which again, I would just, just the way we started, this is a topic that you just need to become aware of, it's real, it's out there.

You know, you'll have to work with your council and executive team to, you know, weigh your options and, but I would just urge you to take it very seriously.

There's a lot there about FTC, OCR, class action lawsuits and state laws all in one conversation. it's a quagmire. I didn't make it this up.

This isn't my fault. I promise. I have nothing to do with this. we, again, for our company, Healthcare Success, we've been, we're very careful.

We have HIPAA trainings internally. We do work with BAA platforms and we're always making sure when we find we have HIPAA trainings annually.

We go back and review periodically to make sure things are still going down the right path. Because it's a lot.

It's easy. We’re all human, right? So anyway, I appreciate your time, James. That was great. We'll probably talk again in the end of next year.

But as we look forward to 2025, I think the way is pretty clear for the foreseeable future. AHA lawsuit, I think, was a little confusing and pause people, but now it's kind of like if you're looking at this seriously, just like you said, it's still an issue.

There's a new administration coming in. I think it'll be interesting to see how that impacts things. But again, I always just feel like I'm taking the insurance route to be safe.

So great. Nice talking to you.

James Corr - Partnerships @ Freshpaint

Thank you. Awesome. Thanks, Stewart.