Chris Madden:
Have you ever had a campaign ready to launch, only to have it stalled by legal, or maybe you’re a lawyer yourself and you’re continuously reigning in creative ideas that feel just a little bit too risky. If that sounds familiar, then this episode is for you. This is Marketing Digital Health, and I’m your host, Chris Madden.

Today we’re unpacking one of the trickiest dynamics in digital health, which is how marketing and legal can actually work together instead of against each other. Two teams that don’t always speak the same language, but absolutely need each other to succeed.

This episode features Kaitlyn O’Connor, a new voice to our series. You’ll hear familiar guests like Chris Turitzin and Rebecca Gwilt. Today’s guests are yet again here to guide us with their expertise so you can learn how to navigate the complexities of staying compliant without being held back.

Kaitlyn O’Connor is a leading voice at the intersection of law, innovation, and healthcare, and is the co-founder at Elevare Law. As an experienced healthcare regulatory attorney, she guides digital health companies through the fast evolving compliance landscape, ensuring that growth and innovation happen within regulatory boundaries. Her perspective is critical as health tech companies scale patient acquisition, integrate new technologies and face growing scrutiny.

Elevare Law was created with the intention to break barriers and build the new future of healthcare. They typically work with really motivated, personally invested founders in the healthcare space whose vision of the industry aligns with their own. Their goal is to make healthcare better, more accessible, more equitable, easier to get, and less expensive.

Kaitlyn O’Connor:
So I think that simple in particular, is actually not how healthcare regulations and laws exist. They are very complex. They are not simple. They are in many cases very old and have been around for a really long time, which means they haven’t kept up with innovation.

So what our approach is, is we will take complex topics, distill them down into two or three important talking points, and also include very actionable recommendations. For example, if a client comes to me and asks me a question about a particular marketing referral arrangement that they want to set up, my initial response is, that’s probably going to implicate the Anti-Kickback Statute, let me put together some thoughts on it and then let’s talk through it.

And then my response will be, okay, under the Anti-Kickback Statute, you can’t structure this exactly how you proposed it to me. Here are three ways that the government has said you can structure these types of relationships and here are the things that I recommend you put into place in order to better align with the way the government has approved this kind of thing, and also just making sure that those recommendations stay aligned with the goal that the client has set out.

What we hear from clients a lot is, when they’ve been working with other law firms, a lot of times they’ve spent several weeks, several months asking the same question to their other lawyers who have just said, no. They’ve said the Anti-Kickback Statute doesn’t allow this, and then they don’t follow that up with specific recommendations or specific examples of ways that they can achieve the goal they’ve established.

And so we try to do that in a clearer way, and we do that in a more efficient way by leveraging AI and other types of software tools that augment our experience and our knowledge and just help us draft contracts faster and analyze certain legal issues, that kind of thing.

Chris Madden:
Working with our legal team means having real expertise on your side. People who understand the pace of healthcare and the language that comes with it. Elevare Law helps their clients evolve and grow inside one of the trickiest landscapes out there. It’s not about slowing innovation down, it’s about finding the safest way forward. That’s how you build a company that lasts.

Rebecca Gwilt is a healthcare regulatory attorney and co-founder of Elevare Law. We introduced Rebecca in episode 15 around privacy and compliance in marketing.

Rebecca Gwilt:
It has allowed us from a business perspective to understand and more easily adopt and take advantage of the evolving technology solutions that are out there, having nothing to do with healthcare in particular. That’s been really fun as we have built this business.

And it has allowed us to serve not only as experts in what the law says about partnerships and data sharing and building businesses and reimbursement and closing commercial deals, but also the ability to look out across the industry at trends, at the sort of evolution of policy and really serve as partners with our clients who are trying to figure out problems that nobody’s solved before.

So I would say yes, we do the nuts and bolts of, we help you with contracts, we help you start your business, we help you grow your business, we help you close deals and stay out of trouble. Our best work as lawyers is serving as strategic partners for our clients in creating that which does not yet exist in a way that’s sustainable and mitigates risk for the company.

Chris Madden:
I love how Kaitlyn got specific and personal here. That story about the client stuck in months of no answers, it’s a great example of why having the right legal partner matters. Elevare doesn’t just stop at what can’t be done, they find creative, compliant ways to move you forward.

And up next, we’ll hear more about what a kickback really is and how to avoid it before it becomes a problem.

Kaitlyn O’Connor:
Recently I had a client that came to me. They had been working with a nationally recognized healthcare law firm for several months, trying to identify a way that they could coordinate care between primary care providers, hospice agencies, and home health agencies.

And how could they do that in a way that was low cost to all of the stakeholders that they were working with, low cost to patients, affordable for the providers, added value for the hospice and home health agencies that they were working with.

And one of the ways they wanted to do that was by providing their services for free or at a significant discount to the providers that they were working with, to the hospice agencies, to the home health agencies.

Providing services to an entity that bills Medicare — which in this case all of the entities they were working with bill Medicare — traditionally providing services for free or at a very steep discount to entities that bill Medicare is a kickback, particularly if you’re doing something that contributes to whatever they’re billing for.

So if you’re providing a service that facilitates a form of remote monitoring that the provider can then turn around and bill for, if you provide that service for free, where the provider or whoever you’re working with would have to pay for that service if they were to work with someone else, that’s a kickback and you’re not allowed to do that.

And so they’d been hearing, no, this client had been hearing no a lot from the other law firm that they’d been working with. They’d spent thousands of dollars, countless hours talking to attorneys, having attorneys research the issue, and they came away with a, no, you can’t do this, here’s what the law says, go figure it out and come back to us with a new proposal.

When they came to us, we said, okay, the way you want to set this up as you’ve proposed it to us, yes it does implicate the Anti-Kickback Statute. The way you want to set it up is probably not permissible under any of the applicable safe harbors. However, there are a couple of new value-based enterprise safe harbors that were just introduced a couple of years ago that most healthcare lawyers that I know haven’t really found a way to leverage yet, but I think this is a perfect way for us to leverage it.

So let me put together a model diagram for you. Let’s get back on a call and talk about all the things you’re going to need to put that in place, make sure the plan that I put together for you still aligns with your overall goal, right, which is adding value for these various entities that you’re working with and making sure it’s seamless for patients to go from a primary care provider to hospice and leveraging the technology you already have to make that process seamless and to add that value that you want to add.

And we did that in a matter of, you know, probably a week. And we went back to them, we set it up, we explained how it would work. They said, this is exactly what we’re trying to do, let’s do it.

And within a month we had everything set up, and now they’re out in the world providing exactly what they set out to provide in a way that is compliant.

It’s so important when you have a new strategic idea for your company that you know will require marketing to make sure that you have providers that want to participate in this model. But it’s why thinking about compliance is so important to actually keep you moving forward, so not as a way to slow you down, but as a way to create a competitive advantage, create something new that most other companies in your space haven’t figured out yet, and go out into the market and be the first one to do it.

Chris Madden:
Kaitlyn mentioned how value-based care regulations are still relatively new and how few companies have really learned how to leverage them. She walks us through where they came from and why they matter.

Kaitlyn O’Connor:
Historically, the Anti-Kickback Statute has been very prohibitive to growth initiatives, because the Anti-Kickback Statute prohibits paying for referrals of patients that are covered by federal or state healthcare programs.

Interestingly, after several years of industry stakeholders talking about this, the government said, actually, we think you’re right. We do see how the Anti-Kickback Statute, as it currently exists, could be prohibitive to some really important, really valuable services that you stakeholders want to provide to patients.

So we’re going to set up a set of safe harbors called the Value-Based Enterprise Safe Harbors. There are three key safe harbors, and essentially what they’ve done is they’ve said, we have outlined three types of business arrangements that traditionally would have violated the Anti-Kickback Statute, but if you do them in this very specific way, we actually think it’s okay because we can trust that the value that you’re delivering for patients is going to outweigh any extra cost that Medicare has to pay, or extra cost that the government has to foot the bill for.

And those three safe harbors, just to simply state them, one is for care coordination arrangements. So that’s where you have a company that is coordinating care between multiple provider entities, which is similar to a situation where a company is facilitating care coordination between a primary care provider and a hospice agency and/or a home health agency.

They’re taking patients from that primary care provider. They’re using an algorithm to identify and stratify risk across the patient population and pull out the patients that need to go to hospice. Pull out the patients that can probably actually go to home health first before they go to hospice to delay that timeline before they actually need hospice care.

So that care coordination safe harbor allows for you to do that at a very, very steep discount of your services so that the providers that you’re coordinating this care for don’t have to take on a bunch of upfront risk in paying for your services without really getting much upside, because they’re not billing for those services. You’re just taking patients and sending them somewhere else.

And so it allows you to provide those services at a discount and potentially share in some of the upside where traditionally under AKS sharing in upside is, again, a kickback.

So that’s the Care Coordination Safe Harbor. The key difference between that care coordination safe harbor and the two other safe harbors I am about to mention is that the care coordination safe harbor limits any type of remuneration to in-kind remuneration only. So you can’t give a cash kickback to the providers that you’re coordinating care for, but you can provide, for example, medical devices to their patients for free that they don’t have to pay you for so that they can monitor their patients’ blood pressure on an ongoing basis and help you identify that risk sooner, intervene earlier, that kind of thing.

The second two are what I would refer to as sort of risk-based safe harbors, which allow for entities that are participants in, or have partnerships with participants in, value-based reimbursement models with insurance payers.

And in those two instances, there’s one where an entity takes substantial downside financial risk, and then there’s another example where the entity takes full downside financial risk. And basically those safe harbors say if you are taking on some of this risk that the company you’re working with is taking on from a payer, or if you’re working with a payer who takes on a lot of downside risk and you share in that downside risk, you can also share in the upside if you create savings for that entity.

So again, where the Anti-Kickback Statute traditionally prohibits any kind of cash remuneration or kickback, in this case, if you work together, you both take on that downside risk together, whether it’s most of that downside risk or all of that downside risk, you can then share in the upside that they get under those value-based payment plans.

So if you take on that downside risk, you save a bunch of money for them and they get a big payment because you’ve saved a bunch of money, they can pay you a piece of that margin. The facts always matter, but it is a relatively new way that regulators have provided additional flexibility under the Anti-Kickback Statute that before two or three years ago didn’t exist.

Chris Madden:
Next, Rebecca takes us through the general lifecycle of a telehealth company from building compliance structures to figuring out how to get paid. This is where legal meets real-world business strategy. You’ll hear how companies navigate red tape, get creative and still manage to scale.

Rebecca Gwilt:
It is create a compliant infrastructure that I can use as a person who’s not a physician, as a venture-backed startup, as an entrepreneur, tech entrepreneur. Create for me the infrastructure that will allow me to be in the business of telehealth. That is your MSO-PC structure.

Now, way more than it was a couple years ago, clients are coming to me saying, I know that’s the minimum of what I need. Great. So now that you know that, now you know how to build that, and there are a number of ways to do that.

Then you go, okay, well now I’ve done this, right? Now I’ve got to figure out how to get paid. And it was easy to start out with to get a Stripe account and get people to charge their credit card and come buy telehealth. But the really big market is in the payer space, because most people in this country still want to rely on their insurance to pay for their healthcare.

So the way I get access to a lot of people is I’ve got to get into the payer contracting space. And that can take a lot of time. That can take three to six to twelve months depending on what size of the organization you are, to go from an all cash pay to a, I’ve got a national contract with Blue Cross Blue Shield and starting to credential physicians.

And so one of the creative ways that people are getting around that is whole businesses have cropped up where they are signing contracts with national payers and they are creatively leasing that to other telehealth companies.

Now, whether that’s going to be a forever thing or whether the payers are going to get down with that, remains to be seen, but it is a, it filled a need. Companies across the industry said, it’s too hard for me to get contracts with every single state, with every single provider and the good rates, because when you start out, you don’t have enough people to negotiate, etc.

What if there was some big company that got all the contracts and then allowed us to piggyback on those contracts? From a legal perspective, very, very tricky. But from a business perspective, this is what comes to our desks as innovation attorneys, right? Can we do that?

And I think traditional lawyers would say, well, that seems very risky and I’ve never seen that before and probably no, and the hard job is trying to see in which ways you can make that happen contractually, legally, from a regulatory perspective.

The other thing that has happened is companies that want to provide a service to individual consumers who don’t have a network, but want to sell to independently practicing practitioners and create leverage by pulling a bunch of independent practitioners together in some way, those businesses have emerged.

ALMA is a good example of this. Headway is a good example of this. These companies that are figuring out a creative way to concentrate the power of individual practitioners as if they were a healthcare provider themselves.

Corporate Practice of Medicine issues, fee-splitting issues at the state level, Anti-Kickback issues if you’re in the Medicare/Medicaid space. So all of these are reactions to the constraints that the very early sort of big crop of telehealth companies faced and their executives said, well, this shit sucks, like how do we get around this? This doesn’t make sense. All I want to do is provide healthcare to all these people, why all these barriers?

And so it forces that strategy discussion. It’s really about hitting barriers as a business trying to grow now that there’s so much private money running through healthcare, and forcing people like me to go, okay, well that makes me uncomfortable because I’ve never heard it before, but, okay, well what if we did it like this?

Chris Madden:
We’ve talked about how the legal landscape keeps evolving. But here’s the flip side. A lot of these rules are old, decades old. HIPAA, TCPA, CAN-SPAM. They weren’t written for the digital world we live in now. Companies like Elevare help founders navigate that tension between old laws and new tech. Kaitlyn shows how knowing the law gives her power.

Kaitlyn O’Connor:
It’s important for digital health companies, particularly when they’re building out a marketing strategy, but really in all phases of building and commercializing a new business in healthcare, it’s really important to understand that most, if not all, of the legal and regulatory landscapes that are going to apply to you are going to be very old.

For example, HIPAA was first published in 1996 and it hasn’t really changed very much since then. TCPA, very old law that has not really changed much since its inception. TCPA applies to automated telephone calls. Most of my clients aren’t really calling patients anymore, but TCPA could implicate text messages that you might want to send to patients, for example.

CAN-SPAM, which has to do with email marketing. FDA medical device regulations. The FDA has done a good job of publishing guidance, but they have not necessarily updated the actual FD&C Act. Many people who are listening might be familiar with the 21st Century Cures Act, which is the most recent version of that, the most recent update to the FDA‘s medical device regulations.

But since then, it’s really just been a lot of guidance around software, AI, that kind of thing, and then other state-specific laws as well. Corporate Practice of Medicine rules tend to be pretty old and actively enforced, and state licensure laws, state tele-prescribing laws, which were largely created during the height of the opioid epidemic and haven’t really been updated now that we’re living in a much more virtual world than we were back then.

Most of the laws in the healthcare world are pretty old. They’re pretty complex and it’s not that easy to update laws, but it is pretty easy to update technology. Technology is evolving fast. Yes, there’s a lot of work to do on the product design and development side, but generally speaking, technology evolves a lot faster than regulation.

And that means that when you build out your strategy, when you build out your product, you have to think about compliance with those laws, and you have to identify the areas where you can push the boundaries a little bit, understanding that the laws are old and maybe haven’t been updated to apply directly to what you are building, and then build a strategy around that as well.

Chris Madden:
And while the laws themselves may be hard to change, they also can’t be ignored. Kaitlyn‘s point about thinking compliance into your design phase is so important. If you wait until launch to think about regulations, you’re already behind. Building compliance early saves you from costly mistakes later, and it’s what separates startups that scale from those that stall.

Kaitlyn O’Connor:
Before you build a product that you want to go to market with, there are a lot of regulatory pitfalls that you should be aware of and that you should build into your product design, if it’s a product that you’re designing, or your services design, if it’s services that you’re selling.

For example, the FDA is going to look at essentially two things when you go to market. They’re going to look at your marketing language and they’re going to look at the actual functionality of the software platform or the medical device that you are selling in the market, and they’re going to look at those two things to determine whether what you are building or selling is a medical device, and if it is a medical device, whether it requires some form of pre-market clearance or approval or registration or not.

And where I have seen many companies forget about this or not take this into account is going to market and then going to build revenue so that they can afford FDA compliance, but now they’ve already gone to market with a product that needed to be approved by the FDA before they went to market.

And that’s going to make the process of going through the FDA clearance process, the process of going through the FDA approval, much more difficult because you’re already coming from a place of where you’ve potentially not been compliant. So I think it’s very important for very early-stage companies to build compliance into their design.

But I do also think that scaled companies who have already achieved growth should think of compliance as an ongoing strategy.

Chris Madden:
Chris Turitzin brings up something that ties this all together. Rigor, the constant pursuit of truth. In marketing and healthcare, that means being obsessed with accuracy, data and what’s real. It’s what builds trust. It’s what protects your reputation, and in this space, trust is everything.

Chris Turitzin is a growth advisor for digital health companies and is the founder of Single Aim Marketing. We introduced Chris in episode one around why marketing digital health matters.

Chris Turitzin:
I would just describe rigor as essentially the constant seeking of truth and a constant having of a very high bar for what truth is. What that often means is just everything you do has some form of data associated with it, and that data has like a strong basis behind it, like an intellectual basis for understanding what is actually going on.

Everything in the world generally can be described as some form of mechanism or machine, and usually that mechanism can be described through some form of dashboards and data and things you can observe.

That’s what I mean by rigor, is trying to understand the mechanism behind something, understanding the levers that you can pull and ways that you can measure what the impact of those levers are.

What that turns into is a bunch of dashboards, a bunch of metrics you’re constantly watching, metrics you deeply believe in, and also experiments you’re running to see if those things are working. That’s how I describe rigor, and I actually was having a conversation with someone recently about this and I was like, is rigor constitutional or is it something that’s learned?

Chris Madden:
When you’re working through your marketing funnel, there are safe and unsafe ways to collect and share information as it relates to marketing and advertising. We’ve touched on this in previous episodes, but now we’re bringing the lawyers into the conversation.

Rebecca maps out a clear three-step process to help companies stay ahead of HIPAA and FTC rules before anything ever becomes an issue.

Rebecca Gwilt:
So the process generally starts with an awareness stage. This is an anonymous visitor. This is a person Googling and landing on a web page. This is definitely outside of HIPAA territory. After the GoodRx case, my guess would be, depending on what your privacy policy said, FTC is not so worried about it.

The main guardrail here would be FTC. So the company would want to make sure that their privacy policies are accurate in terms of what they’re doing in marketing. So you’re on the page, you’re browsing, you’re looking at things, and of course information is being collected on the website about that.

How many times did you click on this? What ad did you click on? How long did you spend on the page? All this information is being collected, and that should be reflected in the privacy policy.

And while marketing teams should tread carefully in that space and err on the side of caution generally, this is a safe space until, as OCR has said in the past, you get to a space where you have something identifiable and that is indicative of someone accessing healthcare.

And that’s usually at the engagement stage, right? This is a browsing stage. This is engagement. This is when someone is providing their personal information, taking a quiz where you are connecting their identity with the IP address that you have or whatever information from their device, if it’s a mobile app.

At this engagement stage, that’s when the user generally becomes identifiable, and that’s what you’re looking at. And at that stage, we’re in a gray area, and I think that’s exactly what you’re mostly dealing with with your clients.

You understand that once they are in an authenticated environment, that’s protected information. You’ve got to be very careful. You know that when they’re browsing, you’re probably fine. You’ve got IP address, not much more. You’ve got information about the activity of random people on the site or in the app.

This middle stage of engagement is where it gets tricky, and what I like to tell folks is, when does it become identifiable? Because it doesn’t matter if it’s healthcare-related if it’s not identifiable. And once it’s identifiable, when are we really talking about enough of a nexus to access to healthcare, the prior receipt of healthcare, the status of your healthcare, when did that start to happen?

The other variable I would suggest thinking about is the sensitivity of the information that’s being collected, because practically the federal government, with limited resources, is more likely to come after a BetterHelp that is collecting and sharing information, sensitive information about people’s mental health status, and GoodRx, which is collecting and potentially sharing information about people’s medications that could indicate some very sensitive disorders they may have, than it is a less risky use case that might still be on the edge.

So this is all analysis, and this is why it’s really important for legal and marketing to be sitting together at the table, for marketing to be very carefully reading the privacy policy and saying, yep, this aligns with what we do, or we actually use it for these other purposes. This says we don’t. The marketing team needs to be reading that, not just the lawyers.

The lawyers need to be invited to the conversations about the evolution of this tracking technology, what tools are being used now, what intermediary technologies are now available to de-identify information and take the sting out of some of the limitations that are imposed by the law.

It is a good best practice in companies that when their advertising and marketing people are about to launch something, whether it be tracking technologies or whether it be language on the front page of the website, they should be working together with their internal compliance folks at the very least.

Chris Madden:
It’s not just about hiring a lawyer. It’s about hiring the right one, the kind that understands both healthcare and growth.

The companies that win are the ones that stay proactive through updating privacy policies, embedding legal in the workflow early, and making compliance part of the creative process. That’s how you grow confidently without getting caught off guard.

Rebecca Gwilt:
The goal is a practical partnership between legal and marketing. The goal is an experienced and educated marketing team. One of the ways that you can ensure that, one, is making sure you hire experienced folks who understand the healthcare space, healthcare data privacy.

Make sure that you have a healthcare data privacy officer who is consulting with them if they do not have interest, and if they do not have experience in the healthcare space regularly. Making sure that they are receiving training on this regularly. Making sure they’re reviewing the privacy policy and updating it if things have changed.

It is also a best practice to embed compliance in the marketing workflow. Much like the sales teams, marketing teams often don’t want to bring legal in because generally legal is the one that says, hold up, slow down, can’t do this, come explain it to me, don’t want to talk, don’t launch it until we’ve talked about it. And so legal is really seen as a barrier in the workflow.

But if they’re integrated from the beginning, if at the beginning of a campaign you said, we want to do this, here’s what we’re thinking, and legal could go, great, as you’re building it, here are some things to keep in mind and make sure that you’ve reviewed this policy, you don’t get the bottleneck at the ninth hour when you’re supposed to launch this on Monday, and the CEO is going to be down your throat if you don’t get it done.

So embedding legal early on in the workflow is another best practice, and not just educating the marketing people, because I don’t want to put it all on your shoulders, but making sure at the leadership level of these companies that there’s somebody that’s paying attention to comms and marketing that has the CEO’s ear that legal can go to and say, hey, when you’re about to launch this really sensitive information here, your sales team needs to know about this, your product team needs to know about this, your marketing and advertising team needs to know about this, and we’ve got to bring legal in.

That way, you have consensus among the leadership that this is an important thing. And as we’ve seen from a couple of actions, not just GoodRx and BetterHelp, but Premom, and it’s continuing to happen, there are more actions coming out, these are existential threats to a company. Multimillion-dollar settlements, and the inability to, without a HIPAA authorization or a detailed consumer authorization, being able to share information to target your advertising is a real handicap for companies.

It seems like one of a few very small things to pay attention to. It’s actually quite important.

Chris Madden:
Rules matter, and they apply whether you realize it or not. Kaitlyn makes a great point here. If you’re selling in healthcare, you need a regulatory and reimbursement strategy from day one, because if you’re not planning for coverage and reimbursement, you’re cutting off access to the patients who might need your product or service the most.

Kaitlyn O’Connor:
Many, many, many patients and providers will not be willing to or will not be able to afford your product or services if they cannot leverage insurance reimbursement as payment for those services. Patients don’t want to have to pay out of pocket. In many cases, they cannot pay out of pocket.

Providers don’t want to have to take on a bunch of additional costs to pay for your services that they don’t necessarily get upside for by being able to get reimbursed for using your technology.

So I think that at the design phase and at any growth stage, whether where you’re building out a new business line or considering a strategic pivot for your company, I believe that companies should be thinking about how the regulatory landscape interacts with their reimbursement strategy and how those two things work together to help them be successful in the market.

For example, I have recently had a number of companies come to me with established FDA strategies. They’ve already gone through the FDA approval process. They come to me and they say, we got clearance, we’re ready to go to market. How do we get reimbursed for this product? Or how do the providers that we sell to get reimbursed for this product? Or how can we get reimbursement from insurance payers for the patients that we sell this to?

And what a lot of those companies that come to me don’t realize and haven’t taken into account through the entire FDA process is that the language that you use, the way that you conduct your clinical trials is very important, and it will impact if or how you can leverage reimbursement at the commercialization phase.

Chris Madden:
And when it comes to navigating the FDA process, language matters. The smallest detail in your submission can shape how your product gets used or who could even use it.

Kaitlyn walks us through how that plays out and how easy it is to trip up if you’re not thinking long term.

Kaitlyn O’Connor:
If you go through the FDA process and you, for example, tie your software to a specific piece of hardware, you may come out of your FDA clearance really excited because you’ve got your approval and now you can go to market, but then you’re going to go to market and there are a lot of patients that don’t have that piece of hardware that you included in your FDA submission.

And so now you actually can’t sell your software to anyone with a different type of hardware. So if you build a product that works on an iPhone and you go through the FDA clearance process and you demonstrate how your software works on an iPhone specifically, the FDA may very likely say, okay, we approve this for use with an iPhone.

But for Android users, this hasn’t been approved yet, and you need to conduct more trials that involve an Android and show us that it’s safe and effective for use on an Android.

And then when you look at the reimbursement phase, the reimbursement might say that the product that you are using that CMS, for example, is going to pay for — and I think about this more specifically in the context of remote monitoring. Remote monitoring involves collection of data through medical devices, automatic transmission of that data to providers who monitor that data on an ongoing basis.

I have a lot of clients that develop software and/or hardware to facilitate remote monitoring, to collect data from patients, to transmit that data to providers for their provider customers to review on an ongoing basis.

And those reimbursement codes, the remote monitoring reimbursement codes, require that the provider is providing to the patient a medical device that collects the data and transmits it to the provider. So an Apple Watch, for example, not a medical device. Your provider cannot get reimbursed by Medicare for an Apple Watch that collects data.

So if they’re only getting heart rate data from your Apple Watch or only getting step data, pedometer data, from your Apple Watch, they won’t be able to bill the reimbursement codes for remote monitoring, for monitoring that data.

So where this sort of overlaps with your FDA strategy is, if you have an approval from the FDA that says your software is a medical device and it’s approved for use on an iPhone, if you sell to providers whose patient base has a bunch of Android users, your providers actually won’t be able to use your product for those Android users.

And they won’t be able to bill the remote monitoring codes for monitoring the data from those Android users, even if your product works exactly the same on the Android phone as it does on that iPhone.

Chris Madden:
That’s where the AppliedVR example really shines. They didn’t just check compliance boxes. They turned regulation into a competitive advantage. By aligning their FDA and CMS strategies, they secured a brand new reimbursement code that locked in their leadership.

That’s smart and strategic compliance. It’s what separates innovators from imitators.

Kaitlyn O’Connor:
They conducted trials, they submitted documentation to the FDA that demonstrated that their software is safe and effective on a specific type of virtual reality headset that would not necessarily qualify for remote monitoring reimbursement when it’s used on a different type of VR headset.

But what they then did was they then went to CMS once they got through the FDA phase and they said, hey, CMS, check this out. We created this software platform that works really well on this specific type of VR headset, and therefore it’s actually hardware and software combined.

And so we think you should create a new Durable Medical Equipment (DME) code, a new DME reimbursement code. And they did that successfully. CMS created a brand new code that only applies to this software operating on this specific virtual reality headset, and that does two things.

One, it ensures that providers can use the software because now the company’s providing both the software and the hardware. But secondly, it’s a huge competitive advantage because any of their competitors that are creating a similar platform that doesn’t work on that headset or that isn’t called RelieVRx — that DME code that AppliedVR got created won’t apply either.

So here’s where I think it’s important to think about a comprehensive regulatory and reimbursement strategy, because one, you want to be able to leverage the reimbursement codes as broadly as possible, and you want to make sure your FDA documentation supports that use. But also, it can be a competitive advantage, because if you are creative about it and you do it in a specific way, then you can prevent other competitors from being able to leverage that code that you’ve just spent seven, eight years and millions of dollars to get to.

Chris Madden:
Even if you think certain rules don’t apply to you, you might be wrong. State laws can classify your company differently than you expect.

Kaitlyn‘s story about the SaaS business that accidentally crossed into Corporate Practice of Medicine is a perfect reminder that what’s compliant in one state can get you fined in another.

Kaitlyn O’Connor:
Another common pitfall that I see with my clients is not understanding how state law will classify what you are doing. So you might think, hey, we’re just a platform, we’re just a software platform, we don’t provide any clinical services, but we hire physicians and staff them to health systems. So we don’t need to worry about state licensure rules.

We don’t need to worry about Corporate Practice of Medicine prohibitions. That’s on our customers to understand. And that’s not always true, because if your website says something that implies to a particular state medical board that you do employ physicians, it may be the case that you actually are required to comply with corporate practice rules, even if you don’t believe that you are providing treatment.

The state law might actually say that you are, and it’s important to understand that.

A client came to me. They said, we’re a SaaS business, we’re just a platform, we’re not involved in care delivery, but we do hire physicians and nurse practitioners and staff them to our customers in these five states. And in three of those states, the law said if you hire physicians, if you employ physicians, whether or not the entity itself is providing medical services, if the entity is hiring physicians, that is the practice of medicine and you are therefore subject to state Corporate Practice of Medicine laws.

And you have to set up a professional corporation that is owned by a physician, and you are a tech company that has a bunch of VC investors, so you’re not compliant. And so we had to backtrack very quickly and redo their whole corporate structure to make sure they were compliant with those corporate practice prohibitions.

Chris Madden:
As we’ve explored in previous episodes, state-by-state differences can trip up even the most experienced founders. A strategy that’s perfectly legal in Arizona might not fly in California.

That’s why every expansion needs its own compliance check.

Kaitlyn O’Connor:
Having a fragmented state strategy can get you into the same sort of boat where not every state says the same thing. So if you’re based in Arizona and you understand Arizona law really well and how it applies to you, and in Arizona, what you’re doing is not going to implicate Corporate Practice of Medicine rules, that doesn’t mean it won’t implicate corporate practice prohibitions in California.

So if you’re going to California next and you don’t look at the California law and build a model around that, you can end up in a situation where, yeah, what you’re doing in Arizona is fine, but what you’re doing in California is not.

Chris Madden:
And if you ever doubt how much this all matters, just ask the seller in Kaitlyn‘s story. They lost millions off their sale price because of compliance gaps. One oversight can become a seven-figure problem.

That’s the real-world cost of not knowing the rules.

Kaitlyn O’Connor:
I was working for a private equity firm. I was doing some diligence on a $50 million acquisition. And in the process of doing my diligence, which was very specific to Corporate Practice of Medicine, I identified that the corporate structure of the telehealth company that this private equity firm was acquiring was not compliant in like half of the states where they were operating.

And my clients reduced their purchase price by about 10%. So that was a big hit to the seller, who had expected a $50 million acquisition, and they ended up selling for $40 million because they had to put a bunch of money in escrow to pay lawyers to redo their whole corporate structure after that deal closed.

And there was more risk than the buyer initially anticipated. And so they said, we’re going to hold back some money because of these types of things that can have real-world, very big impacts on both your business and your patients. And it’s just important to understand where those pitfalls are and how to navigate them at the initial stage and on an ongoing basis so that you avoid these kinds of things when you’re selling or getting investigated by the government.

Chris Madden:
The laws don’t change that much, but technology and the companies seem to change quickly. I asked Kaitlyn where she saw all of this going, whether it’s creative approaches to apply existing laws, or if she saw new laws coming in the regulatory environment.

Kaitlyn O’Connor:
So I hope that they change. I hope that we see Congress finally, for example, make permanent changes to Medicare telehealth reimbursement. That is a slow process, and there are always other priorities that other stakeholders, for example, large tech companies are focused on and can afford to lobby really heavily for Congress to focus on.

So I do think that we will see some regulations change in the coming years. I think the biggest area where we are definitely going to see evolution around laws and regulations is going to be in federal and state privacy laws. There’s already a proposed change to HIPAA out there. There are a bunch of states that are creating their own privacy laws.

And then I also think that we will see a lot of evolution in the regulatory landscape governing AI. We know that AI is valuable. We know that it can add a lot of value in healthcare, both on the operational side of things, making providers’ lives easier, as well as on the treatment side of things, making patients healthier and helping them access care and stay more engaged in their treatment than they would otherwise be.

But nobody really knows how to regulate that yet, and to state governments’ credit, for example, they’re thinking about the fact that technology changes so quickly and how do they build legislation that will be more evergreen so that it doesn’t get outpaced by the technology so quickly that it becomes prohibitive to innovation.

I think we’ll see a lot of new regulation around AI, and I think we will hopefully see some permanent changes to federal reimbursement for telehealth, which seems old and necessary, but it just takes time to make those changes.

Chris Madden:
When marketing and legal teams work together instead of against each other, growth doesn’t have to come at the expense of compliance.

The most successful digital health companies are the ones that bring their legal partners into the conversation early, not as roadblocks, but as creative allies.

As we’ve heard today, staying compliant doesn’t mean slowing down. It means building smarter, stronger foundations that let you innovate with confidence.

With the legal guardrails in place, we turn to the future. Our next episode, episode 18, explores AI‘s impact on health marketing, how predictive models and personalization are changing the game.