 
Consent based infrastructure in digital health is how you protect patients and still grow. This episode explains the technical shifts and the playbook to handle them. Start with consent. Make it simple for people to understand, accept, view, and change their choices. Store those choices and use them to control every downstream data flow. Design payloads that are minimal and useful. Send filtered server side events and avoid PHI. Keep a clear data map so legal, security, and growth see the same picture.
On the tools side, pick vendors that are ready for healthcare. You will need BAAs, audit logs, role based access, and data residency options. Expect less client side signal as browsers and platforms tighten rules. Replace pixels with consented server side events and use modeled conversions and offline events to close the loop. Always measure from first party checkpoints so leadership trusts the reports. Treat privacy as a product feature. Test your consent UX, watch opt in rates, and explain the value people get when they share data. Done well, this system earns trust and gives your team the signals they need to invest with confidence.
Understand trends in critical privacy and regulatory considerations to protect patient data while building trust and driving growth.
This episode brings a privacy first CDP founder, a technical media lead, and a consent platform co founder to map the new stack for growth and trust.
The industry as a whole has massively improved its approach and stance towards patient privacy and compliance… A lot of that is because of effective but very publicized action by the FTC, the OCR, and just a wildly increasing amount of class action lawsuits against healthcare companies.
The Co-Founder of Ours Privacy, which is a customer data platform (CDP) that helps healthcare organizations run compliant, privacy-first marketing campaigns. With deep expertise in HIPAA and state regulations, CDPs, and healthcare tech, Adam brings sharp insight into how brands can navigate digital marketing while protecting patient data and building trust.
Following a privacy-centric approach forces teams to be smarter and more respectful in your growth motion. It forces discipline into how you’re tracking, dispatching, and using data.
The Co-Founder of Ours Privacy, a HIPAA-compliant customer data platform and third-party pixel replacement for healthcare marketers. Ours Privacy acts as a privacy-first buffer - removing PHI from data flows while still enabling ad and analytics optimization across the funnel - and also provides consent management, giving organizations control over how user data is collected, stored, and shared. Jessica and team work with leading digital telehealth companies, hospitals & health systems, and wellness brands to make privacy infrastructure both compliant and growth-ready.
Chris Madden:
In digital health, things are changing fast, especially when it comes to privacy. We’re in a moment where patient trust isn’t just a value. It can be a strategy. And the way we earn that trust is shifting from collect data first and sort it out later to something much more intentional, consent based infrastructure.
That means building systems where patients choose how their data is used, where marketers and platforms are smart enough to respect those choices without slowing down growth. This is Marketing Digital Health, and I’m your host, Chris Madden. We’re not just talking about policy, we’re talking major technical shifts from how pixels get deployed to how CRMs and CDPs manage PHI, to how ad platforms are rethinking who they’ll even let you target.
This episode is all about that intersection, how to stay compliant while still reaching the right people, building trust and driving conversions. To help us break it down, we’re talking with Adam Putterman and Jessica Holton, two leaders navigating this exact moment from both the tech and marketing sides.
Adam Putterman is the co-founder of Ours Privacy. We first introduced Adam in episode 10 when we discussed technical setup around events, signal resilience and attribution. Adam starts us off by talking about just how fast things shifted in the past year or two. Not gradually, but dramatically. Big names like the FTC and OCR have gone from background players to headline makers.
Privacy lawsuits are on the rise. Compliance can’t be just an afterthought anymore. It’s a board level issue. Let’s listen to Adam to break it down.
Adam Putterman:
The industry as a whole has massively improved its approach and stance towards patient privacy and compliance in general. And a lot of that is because of effective, but very publicized action by the FTC, the OCR, and just a wildly increasing amount of class action lawsuits against healthcare companies, and we’re still seeing that today.
It’s changed a lot. I think if you went back two years ago, you would find most companies not just sharing some things, but sharing everything fully. Not just pixel, but capturing and sharing back everything because again, that’s just how marketing works today. If you look at most large digital health companies, they’re one using a CDP or some internally built tool to remove as many user properties as they can while still effectively advertising.
They’re doing the same for analytics if their analytics provider doesn’t sign a BAA, which many do now, which is great. And another improvement in terms of like the companies we see because we have a lot of companies that come to us for audits or just to take a look at their performance. It’s 50–50 in terms of whether they’re just sharing a click ID or sharing a click ID with an obfuscated event and an IP address or a click ID with an obfuscated event and a hashed email.
It’s pretty evenly split. I rarely see a company that’s coming now and just optimizing for standard purchase events. With everything shared, there’s usually some action being taken.
Chris Madden:
The BetterHelp settlement, something we’ve touched on previously in the series, was a warning shot for all companies.
Protecting consumer data and staying compliant has to be taken seriously. If you’re handling patient data at scale and you’re not compliant, it’s only a matter of time before someone notices. Adam expands on how that one case shifted internal conversations about risk for everyone watching.
Adam Putterman:
The big wake up call for a lot of companies was one, the BetterHelp settlement with FTC, just because BetterHelp has such an extreme scale.
That many companies use it as an internal comp for compliance practices and really compliance risk. And then two was the letter sent to, I think it was 130 different health systems, explicitly warning them about the megapixel and pixeling practices in general. Huge wake up call. And then three was just seeing that civil class action lawsuits were increasing in scale more and more.
I think that was the big fear driver for a lot of digital health companies in particular, because even if you think, oh, the FTC or the OCR isn’t gonna come after me, there’s nothing stopping a class action. Also where the calculus is a little different in terms of resources. I’m not saying that’s a good thing because some of these cases are definitely a little forced, but that really changed the calculus for people on what the risk was.
Chris Madden:
And while privacy has become a much bigger deal, the channels we use to reach people keep multiplying. Healthcare marketers aren’t just running Facebook and Google campaigns anymore. They’re experimenting with podcasts, programmatic, influencers, TikTok. Anything that meets patients where they already are.
Jessica Holton is the co-founder of Ours Privacy. We introduced Jessica in episode 16 around navigating state level fragmentation. Jessica offers a great example of this shift.
Jessica Holton:
We’re seeing more and more with our clients that absolutely, Google and Facebook are the core backbone of a lot of their ads, but we’re seeing a lot of success with different ways of getting in front of customers.
So things like podcasts and being able to track podcasts. So a company called Podscribe, we have a really great integration with. We see that increasingly become more of a channel that people rely on, especially as you can do more focused targeting for things like podcasts. And then platforms like StackAdapt or The Trade Desk are also increasing in popularity.
The kind of channel diversification that we’re seeing our clients use is growing, seems like by the week, but Google and Facebook certainly continue to be the core destinations. In terms of the platform differences, I would classify them into three categories across ad platforms. First category is they are HIPAA compliant and will sign a BAA.
This is pretty rare for an ad platform because their ability to optimize ads is reliant upon data, and so they are not in the business of being HIPAA compliant and processing healthcare information and probably never will be. Number two is companies that say, okay, we can serve healthcare companies but do not send us health information.
We are not HIPAA compliant. We do not want health information. So it’s your responsibility to not send out health information or identifying information plus healthcare information. And then third is ad platforms that are really pushing back against getting this data actively. So not just making it the advertiser’s responsibility, but taking it upon themselves to say, you are a healthcare company.
We are not serving you. And the majority of ad platforms will fall into that second category where they say, don’t send us health information. It’s up to you not to do that and to follow our terms. Meta falls into that third category, which as many of us know, they came out with new restrictions for any advertisers that they deemed to be a health and wellness business.
The restrictions ranged from partially restricted to fully restricted and the bulk of our clients get partially restricted, and what that means is that Meta says you are a health and wellness business. We do not want any information that could be potentially classified as health information, and so we will not accept or optimize campaigns for your purchase events, your add to cart events, basically bottom of funnel events.
And so you need to figure out a workaround or just don’t use these and instead use top of funnel events. They’ve since even further clarified what those restrictions are and really actively trying to not accept any health information. So all of these platforms have different ways of managing this, and we’ve seen that Meta is the first to really take a stance of actively not only putting the onus on you, the advertiser, but actively pushing against getting potential information that could be healthcare information.
Chris Madden:
Let’s get to the core of this whole privacy conversation. Consent. It’s the starting point, and with so many tools and vendors involved in modern marketing, managing that consent across every script, every piece of data can get messy fast.
Jessica explains how they’re helping companies simplify it.
Jessica Holton:
Our consent management platform lets you manage consent not only for Ours Privacy tracking and dispatching, but for all of your scripts and all of your vendors. So there are two main pieces of consent management. Number one is what scripts actually load and when.
Number two is once consent is granted or not, where does that user’s data actually go? The first part within Ours Privacy is you have full control over all of the vendors and when they load based on consent given, so Ours Privacy replaces the cookie banner and is the cookie banner that you see pop up on all the sites and lets you have full control over what users see in terms of language there and accepting all cookies, rejecting all cookies, having a fine tooth on categories of cookies that they’re going to accept.
Based on that consent and based on the state that that user is in and what laws you need to comply with, because some laws say that the user has to explicitly opt in before anything can be tracked. Some states say as long as they don’t opt out, then tracking can occur. So based on the user’s consents and the geolocation requirements, that’s what’s going to dictate, okay, we are okay to load all analytics scripts and therefore do tracking for analytics purposes.
But this user decided not to opt into advertising tracking, and so we’re not going to dispatch out any advertising or track anything related to advertising scripts. So Ours Privacy makes it really easy for you to list out the scripts that you want to block and block them correctly.
When the user has given that consent or not given that consent, there are two other pieces here. Number one is users need to be able to withdraw their consent, and it’s really important to not only let users do everything they need to do with regards to consent, giving it and withdrawing it. The other thing that Ours Privacy makes it really easy to do is surface what scripts you already have on your site.
So we have a web scanner that scans your website and tells you, here are all the scripts that you are tracking and what category, and you have full control over what category you place each of those scripts into. So from a UI perspective, we aim to make it really, really simple to go through the steps of setting all of this up.
And the huge benefit of working with an Ours Privacy CMP is that it lives inside the same exact platform that your CDP is in. And so what that means is, talking about the second part of consent management, where does the data go once you’ve given or not given consent? That’s what’s controlled by the CDP.
So all of your destinations of data are in your CDP, and you have full control over where each user’s data goes based on their consent settings, because the consent is in real time updated on that user, and then immediately dictates if it can actually get dispatched out to an advertising destination or to an analytics destination, or no destinations.
You also have really detailed control over what information gets sent for each event, so it’s all in one platform, which makes it really, really straightforward so that you don’t have to put together this puzzle of various players doing various things, because inevitably the thing that we’re seeing is that lawsuits are arising and cases are arising because of misconfiguration and consent management or consent settings not actually getting honored.
So it’s really important that not only do you have the banner and collect consent, but you’re actually taking that consent into account when tracking and dispatching, and I know that sounds so yes, obviously, but that’s why a lot of lawsuits are happening right now is because that’s not happening. So it’s really important to actually be able to have confidence that when you’re putting this into place, you are truly honoring the consent settings when it comes to tracking and dispatch.
Chris Madden:
And once you’ve got consent, you need data, especially if you’re a marketer. But in healthcare, data is complicated. What you can collect, what you can use, how it can be shared, none of it is straightforward.
Here’s Jessica explaining what healthcare marketers really need to make campaigns work and why it’s such a challenge in healthcare.
Jessica Holton:
The evolution of tracking for healthcare marketers has taken quite a long journey.
So let’s take a step back and understand what a marketer needs in healthcare or outside of healthcare in order to optimize their campaigns. In order to really leverage the full algorithm power that Meta Ads and Google Ads have, you need to share back information with Google and Facebook to help guide their algorithms to know who is the right person to serve this ad, to what campaigns are working.
And so traditionally and still today, in consumer, in industrials, any kind of industry that is not healthcare or a regulated space that needs to really take privacy very seriously, what Google and Facebook – and I’m just using Google and Facebook as examples, this relates to every single ad platform – they want you to install what is called a pixel on your site. It’s a snippet of code that gets installed across your entire site and it lets Google and Facebook track all data that happens and all events that happen on your site.
So the user journey is someone sees an ad on Facebook and clicks on that ad and then comes to the website. And because a Facebook pixel is on that website, Facebook can now connect what that user is doing after clicking on an ad. And did they view the page view that you wanted them to view? Did they purchase the product that you wanted them to purchase? Did they book an appointment, and all of that data, because Facebook has the pixel or you have the Facebook pixel on their site, all of that data gets sent back to Facebook, and so there’s this two-way data flow where Facebook is able to see what campaigns are working and they’re able to match exactly who is doing what on the site so that they can optimize their algorithm to show more people like that more ads so that you can get a good ROI on your campaigns.
The problem with that is within healthcare, of course we’re following HIPAA. And HIPAA says that you cannot share personally identifiable health information with third parties who are not HIPAA compliant and who have not signed a BAA with you. And so the problem with having a Facebook pixel on your sites is that you are sharing all of the data that happens and takes place on your site.
It’s all identifiable because IP address is one of those identifiers and Facebook also can track form fills with email addresses and you’re sending back information to them specifically about what pages someone is viewing, what content someone is watching, what appointments are being booked, and therefore what health information or healthcare is being administered or sought.
So you can’t share that information back with Facebook under HIPAA. And so as that was becoming clear and as HIPAA issued more guidance around, you cannot have tracking pixels that share just any blanket information back with Facebook, CAPI or conversions API became a go-to solution. And so what that is, instead of installing a Facebook pixel or Google pixel directly onto your site, sitting on your site tracking everything, you the company are instead sending back specific conversion events to Facebook and Google, and you have much more control over what actually gets sent to those platforms.
And so that was a solution that helps companies get more control and remove identifying information and really be able to, instead of track every single thing on the site, track specific events that you want to optimize your campaigns for.
That is really good from a compliance perspective. From a marketing perspective, it’s a really hard thing to get really right because you need to be able to track a user after they click an ad. But even beyond that, maybe they click on an ad, they come to your site, and then a week later they actually do the event. Maybe it’s book an appointment that you want them to do, and by that time it’s hard potentially to connect that user who books the appointment to the user who clicked on the ad originally, and that’s one of the downfalls of CAPI.
The other downfall or challenge with CAPI is in order to make it effective to you, it does take a lot of engineering work, so it takes a lot of dev time to be able to set up, to troubleshoot, to modify. And when your engineering team, tech teams are working on so many different things throughout the company, it makes it difficult for the marketing team and the tech team to align and have the same priority around this tracking, which is so fundamental to marketers. CDPs started being the go-to solution.
CDP sits in the middle of your sources and your destinations. Your sources of data are any events that take place on your site. They could be your EHR. They could be form fills, scheduling tools, any sources of data that users, or any sources of events that users take on your site or in your platforms.
All of that event data comes into the CDP, and that’s where you process it and have full control over the modifications before they get forwarded out to your destinations. The really nice thing, in addition to the compliance benefits that you get from this, is that all of your data is flowing through one source or one platform, and so you can control all in one place what is getting dispatched and where, without having to worry about, okay, we have a Facebook pixel, we have a Google pixel, we have a GA4 pixel. We have all these various pixels that we have to administer separately. And instead all come through this one central place that you can then control before it gets forwarded on.
And so this has become the go-to because it’s compliant, it gives you full control over what gets sent out, and it takes so much less, if any, engineering time so that marketers who are the core user of Ours Privacy platform, they are the ones that can be in there, make changes that they need to in real time, and get those marketing benefits as a result.
Chris Madden:
That’s where CDPs have changed the game. Adam has seen firsthand how smart data systems can let healthcare brands grow, personalize, optimize, and still stay fully compliant. It’s not about choosing between reach and compliance anymore. Let’s hear what he’s seeing on the front lines.
Adam Putterman:
It’s tricky because healthcare marketers in particular are put in this impossible situation.
Where they’re trying to help people and in order to help people, they need to reach people. And in order to reach people, they have to work within these heavy data intensive platforms or heavy data requiring platforms. And so they’re often stuck with this impossible choice of, do I share data I’m uncomfortable sharing, or legally not able to share, or do I wither on the vine because I can’t reach the people we’re trying to help?
And so I think that more and more we’re seeing people adopt sophisticated technical ad setups, including CDPs, in order to not have to compromise and to get the best of both worlds. And I think that’s only gonna increase. It’s harder and harder to get people’s attention.
It’s harder and harder to reach consumers. The digital health market in particular is becoming more and more competitive and more and more served by more and more companies every day. And so the need to reach people is only gonna increase or the difficulties.
Chris Madden:
To grow in this space, you can’t ignore the trends, especially now when the trends are about trust.
Privacy isn’t just a check box, it’s the foundation of every successful relationship with your audience. Jessica takes it a step further. She believes a privacy first approach doesn’t slow growth. It strengthens it.
Jessica Holton:
Following a privacy centric approach forces teams to be smarter and more respectful in your growth motion.
And so it forces discipline into how you’re tracking and how you’re dispatching out to destinations and how you’re using data in your marketing overall. So I think it leads to clearer data and stronger audiences to target. Overall, a better relationship that you have with your customers. So a few things as to why I think that privacy first approaches can actually be an advantage to marketing teams.
Number one, it forces clarity in your funnel. So if you’re relying on just native pixels tracking everything, which at this point hopefully you’re not doing, but if you’re relying on tracking everything because you have pixels and you have everything going back to all platforms, you are just tracking everything. That is not helpful to you.
Optimizing very clear goals and clean conversion events that actually do move the needle for your business. So having the discipline around taking a step back and working in collaboration with your legal or compliance team and your marketing team helps you to define as an overall business what are the meaningful KPIs that actually do drive the business that you actually do care about, and it will ultimately end up with better, more accurate attribution models.
Because instead of you saying this user probably converted from Facebook, you actually know exactly who opted in and what consent tier they’re in and what channel they came from because you built in consent-aware funnel tracking. So number one is discipline. It forces teams to be really clear about what metrics they actually want to track and share with third parties.
Number two, it encourages you to use first party data. So by using first party data and consented events, they are more reliable anyway, so you’re using more of your own company data to track consented conversions in your CDP and send that back rather than relying on what feels like sometimes a black box of Meta reporting.
And so you actually can do better optimization because you’re optimizing for what you actually care about and not blanket events across your funnel. So you can be really targeted on what it is that you’re moving the needle on with your campaigns. Third is you can build a better audience because users who actually consent to being tracked and sharing data back are more engaged.
So you’re sending back events for your more engaged users. That is going to have a much better interest signal to these platforms. And so ultimately we see better CAC, better LTV when you are using the data from consented users. And then lastly, more from a high level, you are building trust with your users.
And when users know that you respect their privacy, they’re more willing to opt in in the future. And when they feel like you are transparently communicating what you’re tracking and where it’s going and why, then they’re less likely to feel just weird about being on your site or feel like you might be using their data for something that is hidden from them, and they don’t trust that and they don’t understand that.
Instead, by taking that transparent approach and being really clear on what you are tracking and giving them the option to opt out at any point gives you as a marketer the ability to build that relationship with the user, and I think that’s a real asset. If you’re trying to hide consent and just skirt by and do what you need to do from a state perspective, you’re missing an opportunity to actually build trust and credibility with your potential patients.
Chris Madden:
Adam is on the front lines of this every day, seeing just how fast state privacy laws, data practices, and ad platforms are changing. The rules aren’t just evolving, they’re splitting. What’s allowed in one state might be illegal in the next. And while it’s a lot for healthcare companies to juggle, the payoff for getting it right is huge.
Adam Putterman:
So on the first one. We have companies every day now coming to us just concerned about the sheer number of state privacy laws and how different they are, and that’s a huge burden for companies that are national and trying to navigate, well, how can we comply with Washington and Texas and California?
They’re all saying different things and even just the effort of keeping up with all of the changes, it can be immense. And then the subpoint there is that the states are actually taking action against companies and you’re seeing that these laws actually have teeth. They’re not just performative or for the sake of publicity.
And then the second is the ad platforms themselves starting to dictate what can or cannot be sent to them. So you have top down and bottoms up, which is very new and interesting. So Meta, LinkedIn, more platforms seem to be following and saying, actually, we’re gonna prevent you from sending a certain type of data to us.
So healthcare companies are getting hit from both sides on this.
Chris Madden:
And even with all those challenges, Adam sees the win here. Compliance isn’t killing growth, it’s enabling it. When you’re doing it right, you’re not just following the rules, you’re opening the door to reach more people with more confidence and more impact.
Adam Putterman:
I love what we do because in the past, one company providing a certain type of care to one type of person, and now we get to enable lots of companies helping lots of people in very different ways. So to me, it feels very direct, and it’s this idea again, of you can’t help anyone if you can’t reach them.
And a lot of companies, particularly because of the compliance requirements, are in that situation where they’re sitting there and they know how to reach people, but they technically cannot do it in a compliant and or an effective way, and we get to enable them to do it. So I feel a very direct connection to it, sort of piggybacking on all of our clients who are doing really great things to help people directly, and we get that indirect good feeling.
Chris Madden:
What we heard today makes one thing really clear. Privacy is reshaping digital health. It’s not slowing it down. The companies that are winning aren’t just adapting to regulations. They’re embracing consent based systems, smarter data flows, and cleaner tech stacks that actually strengthen patient relationships.
Because when someone trusts you with their data, they’re not just a lead, they’re a partner. That’s what drives lifetime value, repeat engagement, long-term growth and trust. So whether you’re a marketer, a founder, or a lead on a legal team, the opportunity is the same: build with privacy in mind, and you’re not just playing defense anymore, you’re building a brand people believe in.
Innovation isn’t just happening in scaling digital health businesses. Episode 20 shows how hospitals and health systems themselves are rethinking marketing to win patient trust.
