Ruth Carter: It’s still good to be aware of what the law requires, because those may be privacy practices that you should integrate into your company, regardless of whether you’re required to comply with this law.
Speaker 2: Welcome to the Growing a Successful Orthopedic Practice Podcast. Join us every episode to hear from fellow medical practice administrators, staff, and physicians as we break down current issues affecting the industry and share real stories from guests on their way to growing a successful orthopedic practice. Let’s get started.
Keith Landry: We have an interesting half hour ahead for you, and I’ll briefly mention this episode is brought to you by OrthoLive. Hello everyone and welcome to this episode of the Growing a Successful Orthopedic Practice Podcast. I’m your host Keith Landry talking about cutting edge data privacy issues with a new law that literally is just being enforced starting July 1st, 2020. So we’re moving into new territory here. And our featured guest today is attorney Ruth Carter out of Phoenix, Arizona. Thanks so much for joining us today for the podcast.
Ruth Carter: Thank you so much for having me.
Keith Landry: I looked around the country for the perfect guest to talk about what the California Consumer Privacy Act could mean for medical practice marketing plans and I found you.
Ruth Carter: Yes, you had to go to Arizona to find someone who knew about the California law.
Keith Landry: Let’s talk a little bit about your background so folks will know why you’re on the other end of this microphone today. Ruth Carter is with two law firms, the Venjuris law firm for legal practice and the Carter law firm. You’re the owner of the Carter law firm [inaudible] your speaking and [inaudible 00:01:45]. Ruth graduated from Arizona State University. And some of the areas of practice are litigation, trademarks, copyrights, IP licensing, business contracts, startups, and internet law, and Ruth you do a lot of blogging as well. I just want to share a couple of things folks might not know about you. You are the first attorney in Arizona to be selected as a Legal Rebel by the American Bar Association. We’ll get into that. You’re a soprano and have performed at several national, several professional sporting events, which is fantastic. And you’re training for an Ironman Triathlon. Now tell me about that because I can barely jog around the neighborhood these days. So tell me a little bit about the training for Ironman. How’s that going?
Ruth Carter: It’s going pretty well. And thanks to COVID I have an extra year to train because I was supposed to do it a few weeks ago, this past August, and because of COVID, the event was canceled and all of us got deferred to next year. So the Ironman race, the full race, is 2.4 miles swim, then a 112 mile bike ride followed by a full marathon run 26.2. You start at 7:00 AM, you have to finish by midnight to be an official Ironman.
Keith Landry: My lungs are tired already.
Ruth Carter: If I didn’t have a race on my calendar I wouldn’t work out. So this is what keeps me motivated.
Keith Landry: All right. So, because I brought it up, let’s talk very briefly about you being selected as a Legal Rebel by the American Bar Association. What’s that all about?
Ruth Carter: So every year the American Bar Association chooses 10 people to be added to the Legal Rebel club and it’s to acknowledge people who are doing things differently in their legal practice. So these are the innovators. For some people it is considered like a lifetime achievement award because of the different ways they’ve practiced law over the years. I happened to get my award less than a year after I was admitted to the bar, which was a complete shock to me. So I realized early on, I have never fit into the box or conformed to any mold despite my efforts to. And so I just do things a little bit differently. And so because of that, they decided I was worthy of being named one of their Legal Rebels.
Keith Landry: And it’s part of the reason why you’re here with us today. All right. So we’re going to talk about what the California Consumer Privacy Act could mean for medical practice marketing plans and Ruth, as you know, most of our listeners are orthopedic physicians and their practice manager. So we’re really going to try to give them some awesome nuggets today on a really cutting edge law. And it’s interesting, we’re based in Florida and this law’s out in California, but as we’ll hear through this episode today, California paves the way for the rest of the country. And we’ll talk about that as we get into this a little bit deeper. So give us a little bit of background on the California Consumer Privacy Act. Why did lawmakers decide they needed to pass this law? And maybe you can reference the fact that this actually goes back to Europe and the General Data Protection Regulation, which most folks who are familiar with it refer to as GDPR. So give us the background and then we’ll delve into some practical advice.
Ruth Carter: So, over in Europe, they place a higher emphasis on respect for people’s privacy. And because of that, they pass the GDPR, which applies to the acquisition and movement of people’s personal information. So it’s partly in response to that, and even more than that in response to the Cambridge Analytica fiasco, California passed its own privacy law. What happened with Cambridge Analytica is this marketing company was doing, I think it was an online quiz where people were providing some of their personal information in order to participate. And they were told at that time that their information would only be used for research purposes. And then the company turned around and actually used all this personal information for Donald Trump’s campaign. So it was because of that change of purpose of using the people’s data without getting their consent, that lawmakers hair caught on fire and went, “We need to pass a law to prevent this type of thing from happening again.”
Keith Landry: And Ruth, I think this is just the beginning. Anybody who’s listening to this podcast who’s initially saying, “Oh, I don’t need to listen to this.” Let me urge you to listen on, because I believe this is just the beginning of what we’re going to see in the United States and across the world, in terms of a prioritization of protecting people’s private information and personal data. What are your thoughts on the trend that you observe in the law?
Ruth Carter: Definitely. One thing I’ve learned about the law is that it always drags behind technology by years. So it’s the creators and the innovators that create these new technologies and look at new ways to acquire information and use information, and then the law has to play catch up to go, “Oh, wait a minute. Maybe we don’t want it to go this way.” So I’ve heard the phrase that if you’re not paying for the product, you are the product. So for a lot of companies, they were looking at their audience as basically their revenue stream. We’re going to take people’s information and then we’re going to flip it and sell it. And there wasn’t any regulations regarding that. And it’s so easy to get people’s information, way easier than back when everybody was a brick and mortar company where you actually would have had to physically collect information. It’s so easy now with just digitally, you just type it in or you just scrape it or whatever, however, you are acquiring it. And so the law has to step in to say, okay, this is okay, this is not.
Keith Landry: And that’s an interesting point. I imagine a few years back, it would have been interesting to be a fly on the wall in the tech companies across the United States while app developers were writing the code and coming up with the technology behind their apps, with the very purpose of gathering data to profit off of it. Imagine what those conversations were like. “Well, we could do this, we can do that. We can build this into the app to get all of that information itself.”
Ruth Carter: Absolutely, and people are willingly using apps to provide information. Everything from what your hobbies are, what type of food you order, who do you want to date? And companies are just sitting back and analyzing that. And part of it is, learn about your audience. It makes sense to know who your people are, but they also were looking at it as, hey, this is an asset that we might be able to profit off of. So I don’t fault them for being innovative and looking at new revenue streams, just the way they went about it in some way seems a little bit nefarious.
Keith Landry: Interesting points. Okay. So California lawmakers passed a law in 2018. It goes into effect January 1st of 2020 for the new decade. And it’s actually state Attorney General of California actually started enforcement of this law on July 1st. So this is all new stuff here. Who does the law apply to? I want to make that clear first because even if people conclude, Oh, doesn’t apply to me, we’re still going to give them a lot of practical advice they might pay attention to here.
Ruth Carter: Right. So, whereas GDPR impacts everybody who has data about individuals from the European Union, the CCPA, California Consumer Privacy Act is much more limited. So it applies to for-profit businesses who sell goods or services to California residents who meet one of the following three criteria. That either get half of their revenue from selling information, they have personal information for 50,000 California consumers or households, or they make over $25 million in annual revenue. So if you meet one of those three, then you are required to comply with CCPA. If you don’t, you are exempt. So for a lot of companies, maybe you only make 24 million, you only have 49,000 pieces of information for California consumers, you’re exempt. So you don’t have to comply with a law, but it’s still good to be aware of what the law requires, because those may be privacy practices that you should integrate into your company, regardless of whether you’re required to comply with this law.
Keith Landry: It’s always interesting to do a little analysis when a new law goes into effect as to whether or not there’s really any teeth behind it. And in this particular case, an offender of this new law can be fined up to $2,500 per user, per piece of data involved in a data breach. So you can imagine how that could very quickly get into fines of many millions of dollars for a large company. What do you think about that deterrence effect when the owner of a tech company, or maybe a huge medical practice, realizes, oh, my word, the fine could be unbelievable here?
Ruth Carter: Right. So you have to ask yourself, how big is my rainy day fund? Because when you first hear $2,500, that doesn’t sound too bad, but then when it’s like, oh, per incident, which is per person, oh, that adds up quickly. And actually the fine can go up to 7,500 if it’s willful violations. Additionally, this law gives a private right of action for individuals to go against a file an action against the company. And within weeks of the enforcement starting, multiple class action lawsuits were filed on behalf of individual consumers. So the government could come after you or individuals. So with the individuals, you can only get up to $750. But again, if we’re talking 50,000 consumers, that adds up quickly.
Christiana Ayou…: Hey guys, Christiana Ayoung-Chee here to tell you about Insight Training Solutions. Storytelling matters, and being strong at it can take your medical practice from good to great. Insight Training Solutions is a comprehensive digital employee engagement and training platform built for your medical practice. Employees can log on from anywhere, anytime, to receive crucial patient experience and communication training so they can help tell your practices story. Improve the patient experience today with Insight Training Solutions. Courses start at just $59. Check us out at insighttrainingsolutions.io or Google Insight Training Solutions for a better patient experience.
Keith Landry: Okay. So, many of our practice managers and orthopedic physicians will in fact be exempt from this law. But the point is that it raises some serious issues about protecting patients private data. And these are things practice managers just want to be aware of moving forward, especially since California sets the tone for the rest of the country. So let’s talk about some practical advice that orthopedic practices can put into effect starting this week. And just sort of continue to follow to be up to speed on the trend. Let’s start with not adding a patient’s email to your email blast list without their permission. Sounds like common sense, but let’s flush through that a little.
Ruth Carter: You would think that that is common sense, but for a lot of people, it’s not. So for me, it comes down to respect. Even before we take the law into consideration, it’s about respecting your audience. Time is one of the most valuable assets that people have, and so if you are adding someone to your list without their consent and you’re sending them emails, you’re taking away their time because they have to go deal with your email, whether they want to read it, delete it, unsubscribe. And so I see that as a sign of disrespect if a company adds me to their list without my consent, even if the law says they’re allowed to, it’s a jerk move. That tells me that you’re not looking at me as a person, you’re thinking of me as something that can benefit you.
Keith Landry: Just a dollar sign.
Ruth Carter: Yes, I’m a huge advocate of make people add themselves to your list. So for an orthopedic practice, it could be part of your intake paperwork of, “Hey, we have this great resource. Would you like to be included? Give us your email address here.” You have it in writing if there’s ever a question and you’re looking at it and you’re presenting it as, we want to be a resource for you.
Keith Landry: Okay. Great advice there. Now, if you really want to get the attention of any business owner or practice manager anywhere in the United States, all you have to say is two words, data breach. What should these practices be thinking about doing about data breaches and protecting the privacy of their patients and informing them when there’s a data breach? Walk us through some of this.
Ruth Carter: So, with your audience, they’re already required to comply with HIPAA in regards to patient data, which may be something that’s separate from their marketing list, but still they know about the basics of, you need to protect this information. I would expect the same high quality of care for patient medical data to be for their email list. So you want to use minimum industry standard, whatever that is for your industry, in regards to protecting that information and consider the worst case scenario before it happens. So if there’s a data breach, what type of information could a hacker get? What could they do with it? How could your audience be harmed? And it may be very limited in regards to your marketing list, because if all they’re getting is the list of email addresses, that’s going to be a lot less risk of harm compared to their medical information getting out, their social security number getting out where that’s more likely to result in identity theft versus like, hey, this person’s going to get junk email.
So I would look at it. I would have a plan of action in place before a data breach occurs. I don’t think a lot of companies are aware how many small businesses are hacked. You hear about the big ones, but the majority of incidents of data breaches, least that I know of, actually happened to smaller companies. So it’s important to have that plan of action in place so when it happens, you already have your flow chart or whatever of what you’re going to do. And something for your audience to consider is whether or not they should have cyber liability insurance. That is probably not something that is included with their standard medical malpractice insurance. This is the type of insurance that steps in to do things like pay for notifications, a year of credit monitoring and things like that. Because those things can become very expensive, especially if you have a larger list. And they may also have assets available through an insurance company to help you evaluate your security system, to make sure that you have set yourself up to be less likely to be hacked.
Keith Landry: That’s a fascinating point. I never even thought about that. Insurance for that as an add-on and wow, I don’t know how much that costs, but it really might be a good value because you’re not planning on getting a data breach, certainly, but that’s what insurance is for, to [crosstalk 00:16:57].
Ruth Carter: Exactly. No one expects to get into a car accident either, but we’re all supposed to have insurance.
Keith Landry: All right. Let’s talk a little bit about a lot of orthopedic practices are really catching on to the importance of the digital world for reaching out for marketing plans, Facebook ads, Google ads, using online capabilities, rolling them into their marketing strategies. Any advice you can offer in general about online marketing, Facebook ads, digital ads in terms of patient privacy? Just good, common sense tips you want to offer.
Ruth Carter: Good, common sense. I think two things should apply in any type of marketing plan, transparency and integrity. So it should be clear about who you are, what you’re doing, what you’re promising, and then in regards to keeping data, how are you storing it? Who has access to it? And what’s your plan for if there’s a breach? So it should be easy for a consumer to look at what you’re doing. I’m not asking you to disclose your trade secrets, but just in general, who are you? What do you do? And how do you operate?
Keith Landry: Let’s talk about something that sort of dovetails off what you just said. I want to get some nuggets here about what to do about getting rid of a patient’s or a vendor’s private information if you no longer need it, thus minimizing the dreadful impact of the data [inaudible 00:18:15].
Ruth Carter: Yes, I am a huge advocate of having what I call the data custodian. This is somebody in your organization who is charged with keeping the data entrusted to you safe and asking that questions like, what information are we asking for and why? So that you’re not taking in information you don’t need. And then when information is no longer needed to be saved because they’re no longer your patient or whatever your reason is that somebody who says, “Hey, I want off your list,” gets rid of it because I have seen this happen where problems came about because people kept information much longer than needed. If you want an example, go look at the Marriott data breach. Marriott acquired Starwood and when they acquired Starwood, they also acquired an ongoing data breach. And millions of people’s information were compromised included un-encrypted passport numbers, credit card numbers.
And it was in the millions of pieces of information. And I remember when I heard the story on the radio I was like screaming, why did you have this information? I can understand you keep credit card information until the transaction clears and then maybe you only keep the last four digits so that way you can track it if needed, but you don’t need the whole number anymore. And why do you have passport numbers? That just blows my mind like why wasn’t somebody going through and systematically deleting out information that was no longer needed because this problem caused by this data breach could have been so much less had they decreased the amount of information available for the taking.
And one thing to think about for your audience, I thought about this morning as I was getting ready for this podcast. I have a friend who systematically will go through and kick people off his email list if they are people who are not opening his emails, because he looks at that as I’m not providing you any value because you’re not opening my emails so why should I continue to pay to have you on my list? Because a lot of these companies like MailChimps and things like that, once your list gets to a certain size, you’re paying for them to hold onto your list for you. So why pay the higher amount if the audience you’re actually serving is smaller?
Keith Landry: Great points, great points. And I want to talk to you a little bit, get a little insight here for our audience about how California tends to pave the way for the rest of the nation. Many, many times in the last 10 to 15 years, a given industry faces a new set of regulations that were created and passed and implemented in California and are then rolled out in state legislatures across our country. So somebody who is up in Maine listening to this right now, thinking California is about 3000 miles or so away from me. This is how regulations get passed in America. They start in California.
Ruth Carter: Many times they do. California passes a law and either other states follow suit or the federal government follows suit and passes a law for the entire country. I hope that’s what happens here because it would be really challenging to have to navigate 50 different privacy laws plus other country’s privacy laws on top of that. Given that we are more and more a global community, it just makes sense to have larger all encompassing laws whenever possible. So I hope that sooner than later, we do have a federal privacy law.
Keith Landry: Interesting. Interesting. Okay. And however long that might take, the point here I think is what happened in California is a warning shot almost for the tech industry and for people who deal in large numbers of personal data and private data. A warning shot that says, “Hey, you’d better start paying attention to this.” And yes, you may lose some money by paying attention to this, but people’s personal information matters starting in 2020 and moving forward. What do you want to add to that?
Ruth Carter: I think one thing companies need to remember is they don’t just have people’s personal information, they are entrusted with people’s information and that position deserves respect. So it’s not just about building a list, it’s about considering the fact that people are trusting you to have their personal information and keep it safe so that nothing bad happens to it. Think of it like when you hire a babysitter, you are entrusting them with your kids care. This is similar to that. We are entrusting companies to not sell our information without consent or worse, to set us up to be screwed over because they don’t have enough security protocols in place to protect us, protect them, against hacking.
Keith Landry: Well it’s interesting because the California Consumer Privacy Act, as we mentioned, just went into enforcement mode just a few months ago. So it will be interesting to see moving forward what this really will mean for medical practices and their marketing plans. Anything else you want to add before we wrap this up? Ruth? I think we’ve pretty much covered it all. I guess I should just ask you how folks can get ahold of you in light of all the interesting areas, cutting edge technology, business, internet oriented areas of law that you focus on. There might be a few people want to reach out to you. How can they connect with you?
Ruth Carter: So I guess my last piece of unsolicited non-legal advice for anyone who’s looking at their privacy protocol is treat everybody’s information with the same level of care that you would want someone to treat your grandmother’s information. And then if you want to get ahold of me, the best way to do that is look up geeklawfirm.com that has all my social media and all my contact information on it.
Keith Landry: And that’s catchy and easy to remember geeklawfirm.com. I feel like the voice of a radio ad on that one. Geeklawfirm.com today. All right, attorney Ruth Carter, that was absolutely as fun as could be and cutting edge. And we don’t even know where this is going to go. So maybe we’ll do a follow-up podcast down the road with you.
Ruth Carter: I would love that.
Keith Landry: Thank you so much for joining us today and thank you for everybody out there listening to this episode of Growing a Successful Orthopedic Practice Podcast. Hope you picked up some nice tidbits that you can put into effect this week and we’ll do this again soon. I’m Keith Landry.
Speaker 2: Thanks for listening to the Growing a Successful Orthopedic Practice Podcast. Please consider pressing subscribe on your podcast player so you never miss a future episode. And if you haven’t given us a rating or review on Apple podcasts already, we ask that you take a spare minute to help us reach and share our medical practice growth stories with peers.