Chris Madden:
Digital health is complicated enough. Add in regulations, federal, state, and even local, along with different insurance networks in different states, and suddenly growth feels like a maze. So how do you craft acquisition strategies that scale across fragmented US markets? This is Marketing Digital Health, and I’m your host, Chris Madden.

Today we’re focusing on state by state rollouts. We’ve gained insights from Ankit Gupta, Jessica Holton, and Returning Voices, Rebecca Gwilt and Joanna Strober. They’ve driven state by state growth and digital health, and they’ve discovered strategies to combat so many varying regulations while scaling their companies.

Rebecca Gwilt breaks down why state by state rules exist, how licensing boards hold on tight to their authority and why navigating HIPAA insurance and state regulations creates so much friction for digital health companies. Rebecca Gwilt is a healthcare regulatory attorney and co-founder of Elevator Law.

We introduced Rebecca in episode 15 around privacy and compliance in marketing.

Rebecca Gwilt:
So when you think about the complexity in healthcare related to state by state regulation, in addition to the layer of federal regulation, that sort of covers a lot of government sponsored healthcare. And then of course, HIPAA is the big federal law that applies regardless of whether there’s government insurance.

There are layers upon layers. So there are state medical boards and other state licensing boards. Behavioral health boards, pharmacy boards, dental boards, they have a job to do and they have funds to collect. They are state agencies by and large, and their job is to take care of the citizens in their state and to take care of the profession in their state.

And so they have a vested interest in having control over that and don’t wanna give it up. To anybody else. We have seen a lot of pacts between the states, licensing pacts, telemedicine pacts, but we haven’t seen a real effort or desire on the part of a lot of states to give up that kind of power in service to an easier experience for patients as they become mobile and travel all across the country.

And for doctors that wanna become mobile and travel across the country, there are very important reasons why states are in charge of these things, right? They have the ability to audit, they have the ability to investigate. They have the ability to react to local needs in the way that the federal government can’t react to local needs.

And frankly, just the inertia of having done it this way forever means everybody has a job. It’s important to them that is funded by the state that they wanna do a good job at, and they don’t want someone else coming in and usurping that authority.

The insurance landscape, while insurance companies are regulated on a state by state basis, insurance is mostly governed by contract and because of consolidation, there are very few relative to what there used to be insurance companies around, and they have the ability to choose their region.

A lot of insurance is regulation when it comes to what applies to the insurance companies themselves. When it comes to providers contracting with insurance companies. That’s a creature of contract. That’s why providers can get national payer contracts, but payers can’t be regulated nationally. They’re regulated in their individual states.

Chris Madden:
Next up, Jessica Holton digs into how privacy laws are evolving. Jessica Holton is the co-founder of ours Privacy, a HIPAA compliant customer data platform, and third party pixel replacement for healthcare marketers. Ours privacy acts as a privacy first buffer, removing PHI from data flows while still enabling ad and analytics optimization across the funnel. And it also provides consent management, giving organizations control over how user data is collected, stored and shared.

Jessica and team work with leading digital telehealth companies, hospital and health systems and wellness brands to make privacy infrastructure both compliant and growth ready, California, Washington. And now more than 20 other states are rolling out new frameworks. Jessica explains how companies have to build flexible consent systems that adapt in real time. Because nothing about these regulations stays static.

Jessica Holton:
From our view, the US is moving beyond a HIPAA centric approach that applies to all healthcare companies in the US to a fragmented state driven infrastructure or state driven approach. And one of the perceptions is that HIPAA takes a long time to get up to speed with all of the digital ways of doing marketing and digital ways of processing health information.

And so states have taken up it upon themselves to implement new privacy framework. The two states that we see come up quite a bit is California and Washington. California with CCPA and Washington with my health, my data.

So CCPA, it expands consumers’ rights to opt into consent and to opt out of data sharing. So it requires that any company doing business in California at a certain scale must let California users opt out of having their behavior shared with third parties, and they must be able to have that opt in withdrawn if needed.

So it actually goes beyond healthcare and it applies to any business, but for healthcare companies, it means that you are not only following hipaa, but you’re also following this state privacy law. And then Washington’s my health. My data also goes beyond hipaa, and it covers consumer health data, even when it’s not tied to a covered entity.

So this expands the number of companies that need to take a privacy oriented approach when it comes to tracking and then sharing that data with third parties. So for example, for my health, my data, let’s say a mental health app collects search behavior or geolocation related to going to a clinic or searching for a clinic.

It might not be, if that app is not under hipaa, it still might be regulated under my health, my data, and that act also requires prior opt-in consents before collecting data and separate consents, before sharing it with third parties.

And so what we’re seeing is several years ago there were less than a handful of state privacy laws, and now they’re over 20 and they’re just increasing. And so there’s a world where we ultimately have 50 different configurations that you need to follow state privacy laws and for an organization that is marketing to consumers or marketing to patients who are across the nation or across many states in one particular region.

You need to keep up with that. Not only are the state privacy laws that are coming out and being established increasing, more states are coming out with their privacy laws every single month, but they’re also updated. So not only do you need to contend with the states that have different privacy laws, and you need to follow those, of course, but you also need to keep up to date with the changes that happen with the estate privacy laws.

So you can’t, hard code rules you. They vary by state and ends. They change often. And so the way that you do consent management, you have to take into account the states and be able to, based on the location that user is viewing any information on your website or interacting with any of your domains or properties.

You need to be able to adapt legal language dynamically and log consent per jurisdiction. And you also need to future proof that and build dynamic rules that let you change that configuration and do so in near real time. Because as things are changing, as laws are changing, you have to be able to have a system set up that you can modify to continue to comply with those laws.

Chris Madden:
Jessica’s point sets the stage for founders. If you’re trying to grow quickly, compliance can feel like an anchor, but the reality is, if you don’t stay on top of it, you risk losing customer trust or your entire business.

The stakes are that high, and this potential tension between performance and compliance is one that every founder has to contend with.

Jessica Holton:
It’s really, really hard because founders want to, of course, grow quickly. And of course, they don’t wanna put their business at risk or do anything that puts the trust that they have with their customers at risk.

What we’ve seen is across the entire spectrum, we’ve seen on one hand founders who either don’t want to take on the risk of these ever-changing and increasing laws, and so they just stopped tracking entirely. And they take the risk off of their plate and they stop tracking. They do, instead of targeted performance marketing, they do brand campaigns that they do not have to share back data to Facebook, Google, et cetera with.

And they feel comfortable with that because they know that they’re not tracking, they’re not doing anything that they could get in trouble with.

Now, I will say it’s very, very difficult to eliminate risk. Because you have likely, a lot of scripts, people have a lot of different scripts on their site that you don’t actually even know is by default transferring data back to Google, let’s say. So this is an aside, but things like maps or videos that are hosted by Google end up sending that data back to Google.

And there are a lot of kind of areas that you might think or not even consider as being something that is being tracked and shared back. And so it is very difficult for a founder to say and do the elimination of risk entirely.

And then on the other side of the spectrum, we have founders and marketing teams that work very closely with their legal teams to understand what every single state privacy law is and how it relates to them. And then they work with a consent management platform to enact that on their site.

And so they are using different legal language on the cookie consent banner that pops up based on the state. And they are updating that in real time in partnership with their legal team to make sure that they continue to comply and they’re working with a consent management platform and they’re reviewing it consistently.

And of course on that side, the benefit there is that is twofold. One, they are honoring privacy of their customers and they’re showing their users on their site. Transparently, what they’re tracking and what it’s being used for, allowing users to withdraw consents. And two, once they have consents, they’re able to track and share back some data, select data that ideally they still have control over before it goes on to Facebook, Google, third parties.

So the reality is often companies are somewhere in between where they tend to set up the infrastructure, let’s say at one point in time. And then let it sit as such, and that should work as long as it’s set up properly. The problem is these laws are dynamic and increasing what seems like every day. It’s not really the kind of thing that you can just let sit and persist forever because you need to make sure that you’re on top of that.

And so it’s really important to be able to have a system that can grow and modify with you. And that you can continue to work with your legal team, but make changes as needed without having to undo the whole configuration. So what we always say is work with a consent management platform that is built specifically for state privacy laws and for healthcare, because you don’t wanna have to undo workarounds that you put into place to get initially compliant when those laws are definitely going to change.

And so that’s why we built the consent management platform is we are built specifically for healthcare and specifically for geo-located consent management, and we make it extraordinarily simple and straightforward to make changes to your configuration as laws evolve and as your business needs and compliance needs evolve as well.

Chris Madden:
Un Gupta is the co-founder and CEO of bicycle health. A leading virtual care provider for opioid use disorder treatment with a background in engineering product and mission-driven entrepreneurship. Ankit built bicycle to address one of the most urgent and complex public health challenges in America.

His perspective sits at the intersection of access, growth, and care delivery with a strong belief in technology’s ability to scale compassion and measurable health outcomes. T’s story of building bicycle health. Shows that when you’re helping to solve a critical and widespread health crisis, scaling across states is a necessary and intentional process, one that is taken step by step.

Ankit Gupta:
We should not exist if everything goes well, but there’s such a large access gap. 90% of people with addiction don’t have access to treatment, and even if there is frequent access, you have to reach the person at the exact right time when they’re ready to make a change in their life.

And so it is really hard to reach patients, and it is really hard to sustain a business in this environment with a lot of the regulation. Thankfully, I didn’t know any of that when I started working on bicycles. I was really naive. We’re in California, we’re really helping a lot of people, and if people just hire more providers, then we could see even more patients.

In order to hire more providers, I need some funding and I was able to raise a seed round. Thankfully very quickly because of some of the relationship I had signify investor medicine, well has been a fantastic partner since then. And so we got the money in the bank. We were able to start hiring more providers.

We were able to hire a software agent to actually make a website and actually, you know, put, it was just like one key that, another for what the ultimate mission is that we need to do, which is reach more patients along the way, we learned all the hoop that we have to jump through and so.

There are some really big learnings around regulatory challenges that we have to overcome. I always had a heart attack every time we had a legal bill that I had to take ’cause it was just so many federal, state, local regulations that we had to fully understand before we could even start doing business in, in, in a state.

And expanding from one state to the entire country had to be a very sort of intentional step, step success. Where we had to really understand the regulatory landscape, understand the reimbursement landscape, be able to match the patient acquisition with the hiring of the providers. And essentially put together a roadmap for which state we’re gonna launch at Bitcoin, and then continued Etrade on that roadmap as we learn more and as we opting, it

Chris Madden:
It sounds like a national ad would be so much easier.

Right. Joanna Strober is the founder and CEO of MIDI Health. We introduced Joanna and. Episode one around why marketing digital health matters. She explains why so many digital health companies go state by state rather than launching nationally. It’s expensive, it’s operationally difficult, and it requires balancing supply and demand across every state and every region.

Joanna Strober:
Digital health is hard. Operationally. Digital health is actually really hard, and particularly when you add insurance coverage to the mix. But even without insurance coverage, people have to be licensed in each state in order to provide care. So you hire nurse practitioners and maybe they have one or doctors, and maybe they have one license in one state, or maybe they have five licenses, or sometimes you get lucky and they have 10.

But they can only offer care in those states. And what you don’t wanna do as a digital health company is hire a bunch of people who are not busy in a state because you can’t afford to do that. And then also when you add insurance coverage, you need to get them enrolled in each of the insurance companies.

When you combine all that together, it’s very hard to roll out nationally because then you have a lot of people who might be sitting around doing nothing. So that’s why we end up doing state by state instead of national. It’s just too expensive to do national. A number of companies have essentially gone outta business because they tell employers that they’re gonna be a national company and then they hire all these people and they’re not busy.

That’s very damaging for a company, but we also know that once we are national ads are much cheaper. What we found is one of the reasons why we needed to have national coverage is that it’s much cheaper to do a national ad campaign than local ad campaigns. So we’ve had to balance that. We do have a lot more supply in some states than others, so we have to balance for our marketing how we do those two things.

Chris Madden:
Joanna’s strategy is rolling out state by state. This is a common strategy across digital health.

Joanna Strober:
That’s exactly what we do. Start in one state. You get insurance coverage in that state. Then you went to, we started in California and then we went to Texas, and then we slowly hired NPS and got them.

Licensed in different states and then got them credentialed with the insurance companies in different states. So it’s just, it’s a very expensive, time consuming operational process

Chris Madden:
For Ankit at bicycle. The state by state rollout was not instant. It was years and years of going a few states at a time. His team made smart use of compacts and local rules accelerating where they could.

Ankit Gupta:
So we first decided to launch in states with a purely self-pay model. So we didn’t want to wait for instrument contracts because there’s a certain segment of the population that is still willing to engage in a self-pay model because of the lack of access and the demand be so high.

And so that removed a big across. But even to have access for software patients, we needed providers who have appropriate licenses in those states. We needed to check off all the boxes from a regulatory compliance standpoint, and so we put together a roadmap. I believe in the first year we launched five or six states and year we launched under 10 or so state.

It was a slow and steady progress, maybe one or two states every month where we needed to. It was almost like a checklist of like 30 or 40 thing add me to do. For every state launch ad and there were not a lot of people working at that kind. So few of us working ly I remember, was responsible for hiring providers.

I had someone on my team responsible for getting them licensed in the state that we have to be licensed in. Our chief medical officer was responsible for onboarding them and making sure we underst technology. There were some. Ways in you could, in which we could optimize this. For example, there are interstate medical licensure compacts, and so if the physician had a license in one state, you could more easily in the other state, or there are some states where you don’t need a physician supervisor and nurse NPS can independently practice medicine.

And so we relaunched in some of those states ahead of the states where you needed MD supervisors understanding the regulatory landscape and figuring out. What is the shortest path to pro, having capacity in the state and did that. One of the other things that we couldn’t fully understand at that time is what is the demand look like?

Like if we launch in Arizona, how many patients will we actually get versus launching? In Colorado, we intentionally didn’t use public data to plan on national extension because public data is highly biased towards. The overdose death rates and the opioid prescribing rates. And intuitively we felt like there was a lot of undiagnosed opioid use disorder and patients just not raising their hands, asking for treatment.

And if we start having capacity in that state, like if you build, they will come and a pain, which is never a something you should do. Right. But in this case, we, but like if we had capacity in that state and the market in that state, we might. Have a totally different demand profile than what our data shows us.

So we intentionally didn’t worry about demand. We made sure we created the supply, and we basically try to create a supply for as many people as quickly as we can based on the state regulations and the hiring that we do. So that’s how we created like a National Day model, and then we started getting insurance contracts on top of that.

Chris Madden:
This is such a good example of discipline scaling, knowing you don’t need the whole country on day one. Just the right states, the right licenses, and a team willing to chip away until a national footprint becomes real. Jessica reminds us of the big picture. Regulations will keep changing. Policies will shift.

Platforms will update. The only way to stay ahead is to build systems that adapt as fast as the rules do.

Jessica Holton:
I’d also just say as things change and as platforms change their policies and as state privacy laws change and evolve and come online, the facts that you have a system in place that can be easily modifiable.

As things come up means that you’ll ultimately avoid costly disruptions because you don’t have to go back and undo the hard-coded workarounds that you might have had in place at some point. So having that modifiable system that adapts with you is really important.

Chris Madden:
Here’s the takeaway. Growing a digital health company across all states in the US isn’t just about speed, it’s about resilience.

Success comes from patients pushing where appropriate adaptability. And a willingness to treat compliance as a part of your growth strategy, not an obstacle to it. Legal and marketing don’t have to be at odds. Our next episode, episode 17, shows how collaboration between the two can unlock not just speed and safety, but also strategy.