In this episode of the HIPAA Insider Show, host Adam Zeineddine is joined by Ray Mina, Vice President of Marketing at Freshpaint. With over 20 years of experience in marketing and growth for startups, Ray shares valuable insights on the challenges healthcare companies face in light of changing regulations and the increasing importance of data privacy.
Ray discusses:
The biggest regulatory challenges in healthcare marketing today
Transitioning to a proactive, “safe by default” approach in managing PHI
Establishing a new software category in a highly regulated industry
Best practices for compliant healthcare marketing campaigns
How Freshpaint’s Healthcare Privacy Platform helps safeguard and activate customer data
The evolution of marketing and data privacy in healthcare
Tune in for expert advice on balancing effective marketing strategies with HIPAA compliance and data protection in the healthcare industry.
Connect with Ray Mina on LinkedIn: https://www.linkedin.com/in/raymina/
Learn more about Freshpaint: https://freshpaint.io
For more information on HIPAA Vault, visit our website!
Do you have any remaining questions, requests, or just want to chat with us? Email us at podcast@hipaavault.com!
Transcript
Adam
Hello and welcome to the HIPAA Insider show where we discuss all things HIPAA compliance and cloud security. I’m your host Adam Zeineddine. Before we dive in, please take a moment to hit whatever button it is that you have in the app that you’re using. The subscribe button, the like the share and share it with anyone that’s interested in healthcare and cloud security. I’m joined today by a special guest. Ray is a customer obsessed marketing and growth leader who spent more than 20 years helping early stage startups build and execute go to market strategy. As VP of marketing at Freshpaint, he oversees the full marketing function and helps healthcare marketers access the healthcare privacy platform, a data platform that enables healthcare companies to collect, safeguard and activate customer data across their entire marketing stack.
Adam
Previously, Ray led marketing and sales at Tree Ring Lawyer, which was acquired by Clio Fieldwire, acquired by Hilti, and you can follow him on LinkedIn for commentary and insights on healthcare marketing and the impact of federal and state privacy law on healthcare organizations. So I’m delighted to have Ray Mena join me today. Welcome.
Ray
Yeah, thanks for having me. Really great to connect with you.
Adam
Yeah, it’s great to have you on. You know, we have a lot of questions from listeners and viewers about healthcare marketing and yeah, it’s going to be great to dive into some of those with you today. The biggest thing, and we’ll probably discuss it later on in a bit more detail, but the biggest thing that we get in terms of questions is from healthcare business owners that are looking to improve their web, their digital presence with the guidelines that HHS released. I think it was end of 2022, everything went up in the air because there was a lot of details about what was and wasn’t HIPAA compliant right when it came to like things like Google Analytics and Facebook and the pixels that are used for tracking.
Adam
So with the ever changing HHS guidance, what do you see as the biggest challenges in healthcare that companies face today?
Ray
I wish I could tell you that it was just like really understanding HHS and the HIPAA guidance and then you’re set. But what I think has happened since, and it was December of 2022, I remember were working with a lot of health tech companies, but not traditional healthcare at the time. And literally after HHS issued that guidance overnight, we had some of the largest healthcare organizations, both from the payer and the provider side in America, coming to us. And now you fast forward and it’s 2024. And you think that by now there’s a pretty good handle on this stuff. But we’re seeing the FTC weigh in, literally banning people, banning healthcare organizations from even using the tools that you called out, like Facebook in their settlements. Like some of these organizations, I won’t drop names here. You could google them later if you want.
Ray
But they can’t even use Facebook ads or Google Ads anymore. They can’t share any data with those tools at all. You’ve got states, I think we’re up to 19 now that have issued consumer privacy laws that are adjacent to HIPAA type laws. And then you have over 200 individual class action lawsuits against health care organizations were open last year. And according to lawyers who’ve been doing this a while, 200 is a lot. So there’s like, multiple pillars of regulations and legal actions that healthcare organizations have to navigate today, and it’s becoming more and more difficult versus less difficult for them.
Adam
Yeah. How can they stay ahead of those regulations and the regulatory changes? It must be difficult.
Ray
It is. Yeah, I think it really is. I think up until the beginning of 2023, after people absorbed some of this guidance and compliance and legal teams were coming to marketing and saying, take off these pixels, we’re getting sued, or we’re afraid of getting sued. I think the dust has settled a little bit there. And one of the biggest recommendations that we always make is that marketing can no longer operate like in a silo. Like, you really do need to build those relationships with your legal, your chief compliance officer, the IT team. You know, typically marketers in traditional healthcare don’t have growth marketing teams where they have dev resources. So it would be your go to there.
Ray
So it’s really like partnering very closely with those folks who, like marketers, aren’t experts in the nuances of, like, we operate in Washington state, and I don’t know the nuances of that healthcare privacy law, but your legal and compliance team, that’s their job. And continue to have that conversation. That’s a first step. A second step is like, before you do anything, just make sure you have a complete audit. Make sure you fully understand what is, because this really has to do with, like, what kind of trackers are on your healthcare website and what data is being shared to the destinations that those trackers power. And then is it okay to send that data to that tracker? Meaning do you have, like, a legal framework in place with your data warehouse or some other tool?
Ray
Get that audit, because what you’ll find, like every healthcare organizations we work with, they find two buckets at the end of that, they’re sending sensitive data tools that it’s okay, they’ve signed what’s called a business associate agreement. They have the right contracts. It’s okay to send Snowflake a bunch of data because you have the right legal framework that’s taken care of. But they also find a bunch of tools, specifically like Google Analytics, Facebook ads, there are obvious ones, but even brand awareness tools, like some of these demand side platforms that run display advertising to an audience in a given market. Those tools don’t sign business associate agreements by design. They don’t want to be involved with safeguarding your PhI because they’re actually using it for other purposes. So you have to get to that place.
Ray
And then the last piece is, you got to do something about those tools. You can’t keep using those trackers on your site and sending sensitive data to a tool where the BA doesn’t exist because that’s exactly what lawyers are scanning sites for, to look for. And that’s exactly what the regulators have their eyes open towards.
Adam
Yeah, from the end of 2022, we’ve had an increasing number of people reach out to us saying, hey, how do I get my analytics set up in a HIPAA compliant way? And initially what were doing was were saying, well, at the very least, if you’re going to be, well, the kill switch is remove all tracking from the whole website and then you’re.
Ray
Good to go, that’s fine, no problem.
Adam
And just say, don’t bother with a website. Right. But like what we, after we looked at things, I think the recommendation that were giving at the start was, if you can, because we’re a HIPAA compliant host, if you can bring us a software that we can host for you that is going to be storing the data, then we could probably be good to go and move from there. But I think the key there is, when you mentioned about the audit, it’s not as simple as that, because you also want to have the right dashboard to be able to give you the information that you need. So could you talk a little bit about healthcare organizations making the transition from not really knowing how the tracking is being done and being compliant to knowing, and how does fresh paint play in helping them do that?
Ray
Yeah, I think what we learned the first, like, large healthcare organizations that came to us like it was an analytics problem. Like, we’ve spent a decade building a culture of data, and now it’s effing chaos because we can’t measure anything. But then we really quickly learned that larger healthcare organizations that have a large digital ad spend and have like a strategic focus on digital marketing. You know, they’re implementing what we as marketers call like full funnel strategies. Like I want to create brand awareness in my market, I want to drive those people to that convert to a patient experience and that may require like helping you find the healthcare you need and optimizing the appointment booking experience. And it’s not just the measurement and the analytics part, it’s all of those tools along that journey.
Ray
So the first part starts with, look, I’ll say it, you can go, there’s a bunch of different analytics alternatives that if you have the energy to rip and replace, and it’s not going to fully disrupt your downstream workflows, but that’s only going to solve like a very small part of your problem because you’re using digital ad channels, Facebook, Google Ads Stack, adapt at the top of the funnel that don’t sign bas. And it’s not just tracking. These tools don’t work very well unless you send a data set to them about conversion information because they’re using machine learning to optimize those conversions. Trust me, test it. Remove data flow to an ad tool that’s optimizing for conversion and you will see your customer acquisition cost, CpL, whatever you measure.
Ray
We’ve seen customers where that goes up by eight x, like your CFO is not going to let you spend money in those channels going forward. So that’s where you have to really think about this from what is your digital marketing strategy and what is the durable way? As privacy regulations continue to change, that makes it easy for you to adapt. And what is the durable way that addresses a growing list of tactics that you might employ in your digital marketing strategy. And that’s what we quickly realized in the beginning of 2023 is like, this isn’t analytics problem, this isn’t just a Google Ads problem, it’s a digital marketing problem. And so we built a healthcare privacy platform. We actually had, you know, were a CDP.
Ray
We call ourselves a recovering CDP, for reasons I can explain later if we have time, but we basically built a healthcare privacy platform to focus on addressing this digital marketing stack. And what we do is we wipe out. You remove all of those native web trackers that are just freely sharing third party data to the third parties, and instead you replace that with one BA supported tracker that’s fresh paint. We collect all the data for you, store it in a HIPAA compliant way, and then we empower marketing and legal teams without the need for engineering resources to choose what data can be sent to Google Analytics to choose what data can be sent to Facebook. And there are ways to send a limited data set to these tools that make them very effective without actually sharing Phi.
Ray
So there are ways to find like this. You know, I gave Google just what they needed to do the job, but I didn’t give them the whole smorgasbord that they want to optimize for their future.
Adam
Yeah, yeah, that’s great. And I echo that. I mean, when went down the route of, you know, recommending tracking software or tracking systems to be installed on a HIPAA compliant host, it did solve one problem in the sense that any data that was being stored was in a HIPAA compliance environment. But a, the. The staff that were using the tools that they. That they’ve been using for years, whether it’s Google Analytics or whatever it was, they had to be completely retrained, retooled, and that’s right. Also, the organization was just, it was chaotic. So it can be done, but it takes a lot more effort on the organization side in order to achieve it. So correct me if I’m wrong, but Freshpaint positions itself as a healthcare privacy platform.
Ray
Yes.
Adam
Can you explain a little bit more about how the platform helps the marketers? Emphasis on the marketers. Well, safeguards the data, but still allow them to do what they want to do in terms of activating that data.
Ray
Yeah, maybe this is a good way. Good time to explain what I meant by being a recovering CDP. So, yes.
Adam
When freshman, could you explain what CDP is?
Ray
Yeah. So what’s a CDP? A customer data platform’s job is to make it really easy for you to take the first party data that you’re collecting from your product or your website. And healthcare, it would be your marketing website and then pass that downstream tools like Facebook or your email engagement platform, or if you’re using text messaging for a reminder, we just make it really easy to get that down. The issue with CDP is there’s two in healthcare. One is traditional healthcare teams don’t have a lot of development resources, and CDP’s are built for engineers. So you need a pretty intensive engineering effort to stand them up. And most of the folks, and we’ve talked to the biggest players in the healthcare space, they don’t have access to these resources.
Ray
It takes three weeks to get someone to remove a tracker from the website, let alone stand up a CDP. The other part, and I said at the beginning, is CDP’s make it really easy to get the whole payload of data downstream to the tool and that’s a huge problem in a heavily regulated industry like healthcare.
Adam
Yeah.
Ray
And that’s exactly what’s happened is like you put these trackers or you put CDP’s in place and they’re just sharing everything that they’re collecting. And you can’t do that. You have to be precise. So we basically inverted it. We said, okay, how do you do this without engineering resources? How do you make this easy for a marketer who’s not a dev person to stand this up? And so we basically pre built everything. So we pre built server side integrations with Google Ads, with Facebook ads, with all these different tools. We basically have a tracking snippet. That is, you get your it team to put the snippet on the head of the website and you’re good to go or on specific pages.
Ray
And then the most important step is once you, then you’re collecting data from your website and you’re connected to, say, Google Ads, Google search ads. Fresh paint by default is sending no data to that tool. Zero. A CDP by default would be sending everything. Now you have the risk. You have to have someone go in and filter every event and make sure there’s no Phi in there. And then what we do is we have a visual interface that literally legal and marketing teams sit down together and they negotiate what data points is okay to share with something like Google Ads.
Adam
And then it compliments, you know, the HIPAA principle of least privilege and security. And if you watch James Bond, you know, need to know basis.
Ray
The James Bond need to know basis. That’s exactly, that’s exactly the approach.
Adam
Okay, well, let’s turn this on its head for a second, if you entertain me. So we talked a bit about the businesses here, the healthcare businesses, and how they need to comply with law. If you could shift it towards the patient side a little bit, because obviously, ultimately it’s all about what’s called improving patient outcomes when it comes to healthcare in general. What would me, if I was a patient browsing the web, what should I look out for generally? And what should I be cautious of when it comes to visiting a website? I see a lot more of accept cookies nowadays. Should I be, should I be declining all those? Does it depend on how serious I am about the websites I’m visiting, how much I trust it? Like if we could play with that idea for a bit.
Ray
Yeah, I mean, you touched on consent management. There’s consent management which basically opts you out of cookies. But that also, as we both know, that also doesn’t like necessarily, if web trackers exist on that site, it doesn’t necessarily disconnect their ability to collect data about you and capture it downstream. I think for consumers, this is a pretty opaque experience, unless you’re going, and I don’t know that many consumers that have the time to do this. And you’re doing a site scan, there are tools where you can do a site scan. You can see what trackers are on that particular site. I don’t do that when I visit websites.
Ray
So I think that you, yeah, I think that as a consumer, you’re really relying on the regulations, you’re relying on the privacy laws to, like, force healthcare industries and other regulated industries to make some of these common sense changes that are like, you don’t, as a consumer, we don’t want our experience to fall apart.
Adam
Yeah.
Ray
But we also recognize that you also don’t need to share, these organizations don’t need to share all the data that they’re sharing. But I’ll be honest, there’s not a great way today for consumers to really know what’s happening under the hood on these websites unless they’re technical and they want to spend a bunch of time scrutinizing the websites they visited.
Adam
Yeah. Tools like built with and things like that. But like I said, I mean, who’s got the time to, every time they want to check out a website, take that URL and paste it into a.
Ray
Scan tool, and no one’s doing that. Like, you’re trying to get your kid to school and you’re trying to like, but I will.
Adam
Oh, they use pixel.
Ray
Oh, I’m not gonna go. I’m not gonna get. Let me do, let me say one thing, though, that, like, I want to make really clear, is that healthcare marketers and healthcare organizations, in all my experience, they’re not doing, for the most part, there’s outliers, obviously, in every industry. They’re not doing bad stuff with patient data. They’re just using it to try to help patients find the right services and things like that. The issue is that the ad tech companies, where the data ends up, they have one motivation. Google and Facebook, combined, it’s $250 billion a year in advertising income. Like, their only motivation is to continue to grow that at whatever cost. And they really don’t care about how the data is being used. And so that’s really the villain.
Adam
They want the data.
Ray
They just want the data. And the good news is healthcare providers are learning that there are ways for them to deliver that experience, but give way, way less data. It’s really the shift from this third party data world where we just pump everything out to a first party data world. We collect the data and then to your James Bond point, we are very careful and selective about how we use it to, you know, improve and enrich the experience.
Adam
Yeah, it sounds like there’s a lot of education involved in that. Like you said, it’s not really like 99.9% of healthcare providers are not out there to, you know, harvest data. No, for the sake of it. It’s more just about them knowing what data they need, what data they don’t.
Ray
You know, Adam, I want to say one other thing is like, what I haven’t seen yet, which I think healthcare cmos and brands, I think they will start to recognize this because you raise a really good point. The consumer side, I’ve seen a lot of brands doing the right things to safeguard data, but none of them are using it as a strategic advantage for their brand. Like, if I was the CMO of a large healthcare organization and I’ve done all the work and spent all the money. Cause it’s not free to like, fix this stuff. No, I would want my patients to know that I’m taking a privacy first approach, that we really care about your experience, but we also care about safeguarding your data. Here’s what we’ve done about it.
Ray
I would let, I would let my consumer market know and I really haven’t seen healthcare organizations put that front and center. And I, and I expect that. I expect that as this becomes normalized, that they will start to see the strategic advantage there.
Adam
Yeah, switching lanes a little bit. You’ve had a long career in marketing and long may it continue if you wanted to. You’ve worked with several successful startups. How do you see in marketing one side and data privacy on another evolve and the intersection between that? Could you talk a little bit about what advice you give for companies in healthcare, navigating marketing and data privacy moving forward?
Ray
I think it’s really tricky.
Adam
Right.
Ray
Like, I have to first say that I’m a spoiled SaaS brat who never really worked in a heavily regulated industry and I didn’t have the sensitivity to privacy that healthcare has. That being said, like, I’ve always operated in a world of putting my, in my context, the healthcare marketing team is my end compliance team. That’s my customer. I’ve always operated in a world of like, doing best for them. Like, I’ve got a board that wants me to grow really fast. And I’ve got founders that want us to grow really fast. I get that. But I’ve never been willing to do it at the sacrifice of, like, what’s right for the end customer. And I think that’s, like, that’s just a North Star.
Ray
And even if there’s no regulation or no thing, that’s, like, blocking me when I look at things that my team is proposing or I look at things that maybe, like, the wider team is proposing, and I’m like, that just doesn’t feel like if I’m that person, that doesn’t feel like what I want you to be doing. And so, like, let’s find a different way. And I think that’s kind of a mindset. I know that a lot of marketers in healthcare also share, and it’s just staying true to those first principles even under, like, a growing pressure of lower margins and budget cuts, like, continuing to do what’s right because that, you know, that’s, you’re going to pay at some point. Like, you’re going to pay now or pay later. Like, your customers are not idiots. Like, they will eventually catch up.
Ray
And once you’ve burned that, like, brand preference, then that’s a hard thing to recover from.
Adam
Yeah, no, definitely. That’s key. Having that lens of, yeah, definitely, we need to be productive, but we also need to keep the customer who’s the most important thing, the whole reason that we’re doing the work in mind. You know, there’s a lot said nowadays about move fast and break things, and that is important when it comes to innovation and moving things forward as a startup, it’s really important, like you said, to have that just extra thing in the back of your mind that saying, like, well, yes, I can get this done this way, but is it going to impact privacy data security by not slowing down a little bit? And as the company grows, I think generally what happens is because you’re hiring to solve specific problems, you end up getting someone like, we’ve got a compliance manager on hand.
Adam
I’m sure you guys do. Compliance staff that are able to approve things, take a look at things and make sure that while we keep moving fast, we’re doing it in a responsible way. Yeah. Yeah.
Ray
Is this a spicy take to say that I hate the move fast break stuff, especially the second part, like, was that sequoia that said that, like, 30 plus 35 years ago? Like, I think that that’s the moving fast part is super important. I think for a lot of our customers, larger healthcare organizations with a defined market, moving fast is less important. And maybe it’s about time boxing stuff. So we have a thesis for something we can’t say to our leadership that’s going to take a year to get the results. How do we time box it to say that we can demonstrate results? And it might be unrealistic for 30 days, but what’s the smallest time box? We can get to some kind of proof point that gives everyone the good feeling of, like, investing more in it.
Ray
And then the break stuff thing, you just can’t, if you’re in a regulated industry, it’s not an option for you because the breaking stuff ends up like losing a job, getting sued. It’s like, not, it’s not good. Like, oh, yeah, nurses get sued all the time and get fired and lose their nursing license over sharing phi. Like, it’s not something to, like, mess around with. So I think that, I think you just can’t, you can’t dismiss that part. Like, you just have to always keep it in mind.
Adam
Yeah, that’s a great point. I think, you know, but move fast, break things, I think it’s used sometimes accurately, where you’re in a burgeoning industry, you know, a kind of wild west thing where it’s just like, we don’t have time. There’s no one cares right now. There’s, there’s not much of a, an industry in place. But, yeah, for healthcare, it’s definitely not a fair, not a good attitude.
Ray
We could have a whole podcast conversation about why move fast break stuff is actually just really bad growth framework.
Adam
Yeah, definitely. Okay, well, I think we’re coming up to the end of our time, Ray. So was there anything that we haven’t touched on that you’d like to mention?
Ray
I don’t think so. Like, shameless plug. I’m on LinkedIn. So if you’re in healthcare marketing and you want to get into the nuances of privacy and even full funnel strategies, we’ve got a lot of customers who are using, leveraging those to like, improve results on similar spend and then, yeah, fresh paint. If you’re still trying to figure out how to, like, continue to run the campaigns, you need to grow and mitigate the risk of privacy that is in front of you. It’s freshpaint IO. We definitely have a lot of content that helps people stay informed and at least keep up to date on the latest regulations and guidance that continue to drop awesome.
Adam
Yeah. And links in the description, and we’ll make sure we use these episodes as well as materials. When people do reach out to us with specific questions and they don’t necessarily just want to get a quick answer, they want to kind of ingest and understand the process a little bit better, we’ll be sure to share this with them. Well, Ray, thank you so much for joining me today. And thank you all for listening and watching. And until next time, thanks for stopping by.
Ray
Thanks for having me.