In this episode of Telemedicine Talks, hosts Phoebe Gutierrez and Dr. Leo Damasco chats with Michael Williams about the explosion of data privacy laws like GDPR and state regs impacting telemedicine. From his hoops-to-law journey to making compliance copy-paste simple, Michael shares why ignorance isn’t a defense, per-incident fines add up fast, and how Clym’s all-in-one platform helps providers protect patients, reduce risk, and scale globally without $100K consultants.
This episode is sponsored by Lightstone DIRECT. Lightstone DIRECT invites you to partner with a $12B AUM real estate institution as you grow your portfolio. Access the same single-asset multifamily and industrial deals Lightstone pursues with its own capital – Lightstone co-invests a minimum of 20% in each deal alongside individual investors like you. You’re an institution. Time to invest like one.
__________________________
What if complying with 19 U.S. state privacy laws and counting was as easy as copy-paste, and cost-effective for solo docs or big practices?
In this timely episode of Telemedicine Talks, hosts Phoebe Gutierrez and Dr. Leo Damasco sits down with Michael Williams, as he breaks down the patchwork of laws (GDPR, CCPA, and 2025 updates), why they’re based on patient location not your HQ, and how per-incident fines can hit millions. He shares Clym’s origin story from a $100K consulting flop, explains enforcement trends e.g., revenue via “phantom taxes”, and offers nuggets on getting started fast: No devs needed, scalable for SMBs to enterprises, and focused on user experience without legal headaches.
If you’re in telemedicine and sweating 2026 enforcement, this is your roadmap to proactive compliance—protecting patients, avoiding surprises, and turning regs into a competitive edge.
Three Actionable Takeaways:
About the Show:
Telemedicine Talks explores the evolving world of digital health, helping physicians navigate new opportunities, regulatory challenges, and career transitions in telemedicine.
About the Guest:
Michael Williams is CFO and Co-Founder of Clym, a leading platform for automated compliance with data privacy, accessibility, and website regulations. A former pro basketball player (6’10”!), he started as a tax attorney at Ernst & Young, then served as CFO for global firms. Michael blends legal, financial, and operational expertise to make compliance scalable, affordable, and user-friendly, helping telemedicine providers reduce exposure while enhancing experiences.
Connect with Michael Williams:
· Website: https://www.clym.io
· Email: support@clym.io
About the Hosts:
[00:00:00]
Hey, welcome back everybody to telemedicine Talks. We have our gracious host, Phoebe Gutierrez and myself, Leo Damas, and I think we have a great, guest here and actually pretty timely guest as we come along to the end of this year. as these new rules and regulations come along, we have Michael Williams, the CFO and Co-founder of Climb.
it's a leading provider of online regulatory compliance software. beginning his career at Ernst and Young and later serving as CFO and attorney for multiple organizations, Michael co-founded Climb to help companies simplify and automate their compliance with global data privacy, accessibility, and website regulations.
He specializes in making compliance scalable and cost effective for both SMB and large enterprises while improving user experience and reducing legal exposure. So with his background as an attorney, CFO and Founder, it allows him to connect legal, financial, and operational perspectives in a way that helps resonate with business audience.
So welcome to the show. Thanks for hanging out with us. Yeah. [00:01:00] Thanks for having me. I appreciate It. I always appreciate when there's one of my people on one of our calls, I have to talk to doctors all day, so it's like, okay, great. Now we're gonna gang up on you. Leo. I was like Phoebe, did you see his bio?
This is all you, Phoebe, go for it. When they ask for doctors on the airplane, are you like, I gotcha. You know, I've told people about that before. I'm like, man, that would be such a bad luck if I tried that.
I would be the most hated man on that plane for sure. Oh, I, that's why I have my earphones on and try to like, pretend I don't hear and undoubtedly like my family members are like, dad, they're calling for you. I'm like, no they're not. No, they're not. Any who? thank you so much for joining us, and again, I think it's timely.
'Cause before we started, recording, we were talking about, hey, you know, there are changes coming along, this is the end of the calendar year and, there tends to be rule changes, so forth and so on. But let's rewind. and going back, you started your career as a lawyer and now, [00:02:00] going to compliance and now an entrepreneur.
How'd you get there? Is this what you wanted to do when you were, a baby lawyer growing up? Wait, Leo. Yeah. We have to ask our opening question. Oh, yeah, yeah . What did you wanna be when you grew up? So this doesn't come across on a podcast, but I'm six foot 10. So when I was growing up, I wanted to be a professional basketball player.
I played in college. I played overseas three years in Europe, two years in the minors here, and the NBA's got a minor league called the G League. So I played in that. I was never quite good enough to play in the G League, but I somewhat achieved my goal, so that's super cool. You could probably hoop up 95% of the people out there.
96. Not anymore. I'm old now, but in my day. Sure. Why not? Yeah. Well, awesome. then from, you know, hooping it up to law, there's a big jump there. How'd you get there? I got done playing and I'd always kind of considered gonna law school
Back then I was living in the area where I was growing up. University of Connecticut was a good Law [00:03:00] school in the area. I applied. They, for whatever reason, accepted me. And then I went there for three years, graduated, and then started my career. I started as a tax attorney initially at Ernst and Young, and then have kind of evolved over the course of time, I was actually a state and local tax attorney at Ern and Young, and that's been super helpful For what my company does now because a lot of these laws are jurisdiction based. So it's either state level, it could be state, regional federal level. If you are a global company, you might have to comply in various countries, various provinces at certain areas.
So it's been very helpful to understand the need to take a dynamic approach to these compliance applications. That's awesome. And going into climb, tell us all about that. how did you figure, this is a great idea? Sure. So 2018, I was a CFO, a global travel management company based in Los Angeles.
even though that company was based in Los Angeles, a new law came out that year called GDPR. it's the world's first, modern data [00:04:00] privacy law. it affected companies in Europe or doing business in Europe. the company I was working for was based in Los Angeles, but we held events in Europe.
collected European data, so we were subject to GDPR. In an effort to get compliant, we hired a consulting firm. paid them a hundred thousand dollars and the day after the consulting engagement ended, we found ourselves out of compliance. that's the light bulb moment for climb we said, okay, there's not that many companies a hundred thousand dollars to comply with one law, and if you're out of compliance on day two, why bother?
we set out to scalable, flexible, and cost effective software platform initially focus on privacy we launched in 2020. when privacy first came to the California introduced the first privacy law in the and over the next couple of years we identified the fact that
Our customers don't just need help with privacy, they need help with a myriad of regulations. So we now have the only kind of all in one [00:05:00] horizontal approach to online regulatory compliance. And it's, you know, one software for user to learn and it covers a variety of different regulations. Yeah, no, super interesting.
So I know what GDPR is, I know what privacy is, but. Look at Port Leo. Oh Yeah. Just Glass over. Could you maybe just like, in the simplest of terms, just try to like, explain a little bit about like what it means, who it protects, and like why these rules are introduced for consumer protection
We all need to care about privacy. So privacy laws in general, they dictate what companies or organizations can, the information, they can collect, store and process about you as an individual. So collecting information, think about like every time you go on.
Google and do a search. They're collecting information about you. And [00:06:00] other companies, much smaller than Google will do the same thing. so in Europe there's kind of a general European law in the US these are all generally state by state laws. In other countries it kind of depends. But there's a patchwork of these laws and so basically companies are obligated.
To provide consumers from whom they're collecting information or data, like what they're collecting, how they're processing it, what they're doing with it, who they're sharing it with, those kinds of things. So to put in this perspective and how complicated this is in 2020, there was one state in the US that had a privacy law is California right?
This year, 2025, there's 19, right? So in five years, 18, other states have adopted privacy laws and they're all a little bit different. None of them are exactly the same. was about to say, I'm sure they're all the same law. Right. And they all agree with each other.this is why I mentioned I'm a state and local tax attorney by trade.
This is why this makes sense to me because the other part about this [00:07:00] that's crucial for organizations and consumers to understand is that. These laws primarily affect where a consumer is based, rather where a company is based. You could be a Texas based organization, but you're collecting information from California residents.
You might have to comply with California's law, right? In the same way this makes sense to me is like sales tax. If you're like a company and you're selling from Texas to California, you may have to collect and remit sales tax in California, even though you've never stepped foot there, right?
And so the same kind of thing applies. A lot of the companies that we talk to say, well, I don't have a presence there. I don't have people on the ground, you know, I don't have an office there. My headquarters in Florida, why would I have to comply with a law in California or Europe or wherever? And it's the reason is the laws are written where the residents or the consumers are based.
But again, it's really important. I think this is somewhat understood in Europe now, it's. Being more understood in the US we are sharing [00:08:00] constantly all this information with companies and oftentimes either without our consent or without our knowledge. And I think now when you're seeing more and more regulatory penalties on some companies.
The awareness level is much higher and consumers are understanding their rights more and companies are understand their obligations a lot more as well. Yeah, I think it's actually really the way I kind of like to think about it is the same way like telemedicine is right? Like Leo is nationally licensed, he's practicing in all these states.
Poor guy. That's why he's friends with me. 'cause he can go, what can I do in this state? What can I not do in this state? But it's the same thing, right? Where you are regulated is where your patients live. So it doesn't matter when you're doing telemedicine in, Kentucky, you have to abide by the Kentucky rules and the regulations and all of that.
And I think that's what makes all of this so complicated because telemedicine really has made it so that these companies. Historically, you would pick a company, I'm [00:09:00] gonna build a storefront, I'm gonna be this one state, this one jurisdiction, follow these one rules. Now it's like, let's go everywhere and do all these things.
Mm-hmm. Layering, the privacy on top of hipaa. And when you're talking about healthcare data, it gets even more complicated. And then, of course, like the patient care side, so I find it, to me it's, It's this really interesting, like, kind of like balance to even like Leo's point.
Like they don't, most doctors don't even realize, like, I don't think people realize that. Like, every single time you go to somebody's website, like they're crawling, they have all these little codes that are crawling all over the place, pulling you, and it's while you're getting somebody spam calls.
Yeah. And it's not just privacy, right? Privacy. you know, you mentioned hipaa its accessibility of the website. You know, so in 2023. We were notified by our customers like, hey, we are seeing a lot of accessibility lawsuits for our companies, right?
So in the US there's a Americans with Disabilities Act, right? There's also [00:10:00] state level accessibility laws as well. Create additional complexity here, right? So those laws, used to be the case you're talking about Phoebe, brick and mortar kind of organizations, right?
It used to be the case that all of these accessibility, a DA violations were in person, right? It's like there's a bathroom stall at a restaurant or a hospital or a doctor's office. That's not wide enough. To accommodate a wheelchair. That's an a DA violation, right? Because you're not providing a reasonable accommodation to someone with a disability.
Maybe the pitch on your ramp to the parking lots off, that's an a DA violation. And private attorneys, someone called it ambulance chaserswe're suing these businesses or organizations for these violations. In the last five years, almost all of that has moved online because if you're. An attorney and you can maybe walk into 50 hospitals or brick and mortar organizations in a day.
You can look at a thousand, [00:11:00] 10,000, 20,000 websites for these violations, because online you have to provide a similar reasonable accommodation, which most people just don't know. Right. So it's a real patchwork of challenges here, specific for healthcare organizations because, or doctors or sole proprietors or whoever it may be in the healthcare space.
'cause there's so many regulations they have to comply with. Yeah. Aada a's huge, I mean that's one of the big ones that I've seen with a lot of clients that I work with where it always cracks me up because nobody cares about any of these rules until they wanna get their first, like, government contract, or they wanna like, go contract with like a commercial insurance and it's like they have to fill out the security assessment and they're all, what is all this?
I'm gonna place. Stupid here, like a DA in the internet online. Like what's a good example of low hanging fruit that these ambulance chasers now are looking for? Because I wouldn't even think about it. Right. You know, little old me. I'm gonna practice medicine online.
I'm helping people out. You know [00:12:00] what? Don't I know? Oh there's probably a lot. There's, oh, I'm sure there's a lot. I guarantee no, and I'm not saying, listen, I did not know much about a DA up until a few years ago, and I had to get really kind of deep in the weeds here. I did not know that 61 million Americans have a defined disability
You know, we typically think of people with a disability as someone who is blind or in a wheelchair, right? But it's a lot more all encompassing than that. It's people with dyslexia, people with epilepsy, people who are colorblind. These are all considered disabilities under the a DA.
And so as someone who has a website and we're not talking about like e-comm, we're talking about an informational website. All websites in the US should be or have to be ADA compliant, So. It's providing mechanisms for a user to make modifications to a website to say, okay, I am dyslexic.
I can't read your font. Let me modify the font so I can read it. [00:13:00] I'm blind. I have a screen reader. I want to have your website be able to work with my screen reader so I can understand what's actually on your website. These are all things that are important for an accessibility perspective again, you have to provide a reasonable accommodation, and that could mean some different things depending on the size of the organization, but you have to think of it more or less, like a best effort to make your site more accessible, more inclusive to.
Are experiencing a disability, and to put this perspective, why this is important. Last year there was an estimated 250,000. Either lawsuits or demand letters or, things like that, that ended up in a settlement for a DA violations, the average settlement's $20,000, that's $5 billion worth of a DA settlements estimated last year, right?
So this is a, we used to call this a cottage industry of these ambulance chasing attorneys doing this. This, that's a $5 billion is a [00:14:00] lot of money, right? And so, and 78% of those settlements are against. Kind of s we call 'em SMBs, right? Small, mid-sized businesses. So this could be like a small group of doctors, independent doctors offices, those kinds of things.
Those are getting hit more frequently because they don't have the resources to defend themselves in many cases. Now, are these big businesses, small businesses, you know, startups like, or just, it's just these ambulance chasers go and, and just find anything, you know, they just troll. They kind of, they mostly troll.
They are, most of the cases are filed against smaller organizations, again, because they don't have the resources to defend themselves. But we've seen A-D-A-A-D-A violations against larger organizations as well. Again, it's something where the awareness level that your website needs to be ADA compliant.
Not many people are aware that's actually the case. we think about the bathroom stall example in real life. Everyone gets that. Most people don't understand the website component [00:15:00] of it, but there's enough legal settlements that have been made in the last few years that really make this need, organizations need to make this a priority.
Yeah that's very reassuring on entrepreneurs and on our end.
No, I mean, I think the interesting thing is, again, most people don't even realize that these rules exist. So, I mean, this is like one really clear example of something that has been, you know, to me, like I've known about a DA of course my family actually was sued by a local attorney who we had owned a restaurant.
Sure. But yeah, it was exactly that. Except his technique was interesting. He used Google Maps. To really figure out who he was gonna target. I digress. I mean, what are some of the things that you've seen, kind of like globally, just some of these other rules where, you know, you're working with companies and you see that they're grossly outta compliance and they didn't even realize it.
Yeah. [00:16:00] So we actually developed some tools to assess. Compliant. Like basically a risk mitigation or, gap analysis tool where you go to. Climbs website ww.climb.io. You can scan your own website and you can see what the gaps are from both privacy and accessibility. It's really helpful tool just to get a self, a quick self.
It's not a full blown audit, but it's a quick self-assessment to show like, Hey, here's your gaps and here's, a scorecard for you. And again, to the previous point, there are some extremely large companies that have gotten. or penalize because of this, like in Europe. Google has been fine.
Amazon's been fine. Twitter's been fine in Europe. In the US companies like Tractor Supply, a big brick and mortar, an online retailer, Sephora, same kind of thing. Healthline was a big one. Very big violation and a fine.
Very significant in the healthcare space. So I think what we're starting to see [00:17:00] It's, you know, from a regulatory perspective, regulators are going after larger organizations, but a lot of these laws can be enforced by private attorneys, right? And so the private attorneys are going after the smaller organizations because they're quicker wins, it's lower hanging fruit, I can tell you the trends from a regulatory perspective in Europe in the first three years, there were minimal fines of penalties levied. In the last four years there's been billions of dollars of fines, of penalties. So, you know, most of these privacy laws in the US have been on the books for two to three to four years.
we think that 2026, we're gonna start seeing a lot of enforcement from a privacy violation perspective. There's also all these things that are out there. We're talking about awareness, You have to kind of hand it to the plaintiff's attorneys 'cause they're very creative. So there are lawsuits being filed against website owners for having chat bots on their website [00:18:00] that don't collect consent from a user in a what's called a two party consent state, because they run afoul of state wiretapping laws.
So Climb has a solution for this as well. But basically, in these wiretapping laws, what these attorneys are claiming is that there are states where you have to have both parties consent to recording a conversation. I think there's about 20 of them in the US and if both parties don't consent, that's considered wiretapping, which is a crime.
And so what these attorneys are saying that is if you interact with a chat bot and that chat bot's collecting information, that's a conversation. And if you don't collect the appropriate consent, we can find you or we can sue you for a wire topping violation. there's a lot of attorneys jokes for this very reason.
But it's one of those things where the landscape continues to evolve and the risks associated with violations continues to grow unless you are [00:19:00] using, automated solutionsto help mitigate those risks. Yeah, that's interesting. That you were talking about that, because what we're seeing a lot in telemedicine now, especially, is AI going in, right?
Yeah. And ai, the chat bots doing the national triage, doing the front end work. And, you know, there's a lot of movement towards that. And gosh I remember dealing with a company that was building the AI bot, and I don't know if the appropriate, you know, it's state to state, like you said.
And there was never talk about, Hey, in this state we need to get this kind of consent, so forth and so on. Or, you know, just get two-way consent across the board just so you could be compliant with the lows hanging fruit law. But you know, that is kind of interesting to say.
Now, when that doesn't happen, who's on the line? Who's on the hook for that? Who could get sued? Is it the company, the doctor, or both? That's a really good question. You know, it probably boils down to what the contract says between the parties, but my guess is that it's primarily going to be the doctor [00:20:00] for using that.
The doctor, could then sue the Company. The company could say like, Hey, we didn't know that you were doing this, or We didn't know we were using this way. Like there's a lot of things going on there. I would look at the contract. To see where that kind of liability falls.
But you're right, this is. Even when you throw AI in the mix, a lot of states are trying to enact AI type of laws. You know, obviously the current federal administration is trying to preempt those state laws for ai. But we don't know. It's a really, I don't wanna call it the wild west, but it's, it's an unknown for everyone that's working in that space.
But the bigger thing here is, understanding. The federal and state laws that apply to you are very challenging. And the other part about this that you had mentioned a moment ago is let's just apply the strictest kind of approach here that would work, that would probably make Phoebe happy.
But it may not make an operator like a operator. my co-founder is a [00:21:00] marketing person. I'm an attorney. There's a natural tension between marketing. We live on opposite coast. He lives in Charlotte, when we developed Climb, we knew that it had to take a dynamic approach.
all of our settings are geofenced. if you come to someone's website from California, you're gonna get a different experience than you are from Alabama, Where there's not a privacy law. if you're a healthcare organization, you're gonna have very similar kind of HIPAA accessibility, because those are federal, but on a state by state basis gonna be different,
most, doctors or healthcare organizations, have a profit motive and we don't want to infringe upon that. What we want to do is apply the correct regulatory framework in that particular jurisdiction. So when you're registering for Climb, we ask you, what's your industry?
How many employees do you have? What's your revenue? A lot of these kind of dating questions so that we can. Tailor, not just what you should do in a state, but what your company should do in a state based on particular metrics, because there are certain laws that only apply [00:22:00] to large employers versus small employers, those kinds of things,
So we wanna really dial it in and make it as unique as possible rather than take a broader approach because again, that might be good for compliance. It may not be great for marketing. We're talking about what's known on the horizon. HHS developed a rule that said that if you're receiving federal funds through hhs, which most healthcare organizations do.
your website needs to not only be a DA compliant, but what's called WCAG compliant starting. In May, 2026. So that's right the horizon here. Now that's for larger healthcare organizations. Smaller ones have an extra year to comply, but it's on the radar. So not only will healthcare organizations be subject to private attorneys suing them, but now they're gonna have, a federal.
Organization that could potentially levy a penalty against them for having a [00:23:00] non-compliant website from accessibility perspective. So again, there's so many risks out there that exist and if you don't accommodate those risks, you are gonna have, a very.
Significant financial and reputational risk. you don't want a HIPAA violation as a doctor, you don't want an ADA violation. These are things that you lose trust with your patients and your community if those things occur. Yeah, and I think the one interesting thing too is just as somebody who's worked with so many different companies is there's this interesting balance where like you work with a startup and they're like.
We'll take the risk, right? We wanna get our name out there. We wanna do a little, like, the one thing that I love is like, that's too many buttons to click. I'm like a consent chat box. Like, come on man. Like, no too many buttons. Then you flip into this thing where You're heavily marketing, which draws attention to you, which ultimately catches the eye. I mean, all it takes from a regulatory, you know how I used to do my audits and investigations? It was like [00:24:00] one person would mention something that would be off and then I would secret shop, and then I would get obsessed and then it would be like, I'm closing you down.
And it would be, that fast where it was just, you know, you start there. And that's the thing I think that people don't understand and unfortunately doctors take the brunt of it because when somebody like me comes in. And is auditing, what am I auditing for? I'm looking at the AI documentation and seeing that there's no audit log, that a physician actually reviewed it or seeing, the certain things that are on the website that shouldn't have been, live or, you know, seeing some of those things.
And so I think it's really interesting to think about kinda like the balance between like doctors and in these startup industries who have no clue what the heck is going on. Yeah, you make a, you get a couple really good points there. Number one is like, okay, compliance could be expensive. How expensive is non-compliance?
You know, we'd like to take an ounce of prevention rather than a pound of cure, approach. we [00:25:00] think that, if you look at some of these fines and penalties for the violations, they're exponentially greater than the cost for actually trying to comply with these things.
The other thing you mentioned that is near and dear to my heart as a tax attorney is audits, right? I've done countless audits from a tax perspective, and that kind of informed how we developed climb because we said, okay, what matters in audits, it's receipts, right?
can you show documentation? Can you show the receipts? Those kinds of things. So everything within climb is timestamped, right? when someone comes to your website and they consent or they don't to collecting information. that gets timestamped, there's an actual physical receipt that gets documented if someone requests.
a lot of these privacy laws allow consumers to request certain information that you've collected about them. Those are called DS a's a data subject access request, right? if someone comes to your website requests a DS a R, they fill out a form, they send it in, that gets timestamped, it gets recorded, and then you are obligated to respond to those requests within a period of time.
[00:26:00] Climb tracks at all. remind you when to send these things out. We provide templates for response, all these kind of things. But when you say audit, like that's where most of these fines and penalties and lawsuits are coming from They can't show, like there's no documentation that they've even attempted any of these things that they've tried to comply.
Right, let alone have they complied or they try to comply. But if they don't have receipts available and that documentation, that is where most of those violations and fines actually occur . No. A hundred percent. Again, what I always say is like even from what I do now versus in the past it's a very different experience from a person who is let's say being a little like loose and reckless, right?
That's like not defensible versus like somebody who's done their due diligence and is actually trying and has something to show for it, but maybe was off. Right? We would put them what's called a corrective action plan. Yeah. And so we're gonna put you in a cap. And we're gonna help you come into compliance.
The people that used to piss me off would be the people where I'd be like, you're doing all these [00:27:00] things wrong. And they would be like, screw you. I'm gonna keep doing what I'm doing. And then I'd go back in a couple months and be like, all right, I guess I gotta shut you down. And like, I think that's the piece where.
It's really interesting because again, in this industry you have, you know, telemedicine, you have a lot of people who, nobody wants to start with compliance. it's boring. in the tech industry everyone's like, oh, it has to be sexy. Compliance is not sexy. Nobody wants to follow rules, especially rules you don't understand.
Mm-hmm. to me that's where it's like You have to make sure you have the right people in your corner to protect you or the right tools or the right software. So at the end of the day, 'cause everybody will get audited at some point. at least you have something where, you can defend your operations, you can defend what you're doing versus all that work kind of being for nothing.
That's right. And also, I'm climb CFO, right? And so I think about things like, what's the ROI, what's the business proposition here? our, plans for climb start at $49 [00:28:00] a month, right? That's 600 bucks a year for this. All-inclusive, all-in-one.
You get privacy, good accessibility.if you have documents you need to generate, we have a policy generator, like privacy policies, cookie policies, terms of service, all of these kinds of things that are customizable for you. We have the wire tapping functionality. We have HIPAA functionality . We have, a ton of stuff.
It's 40 man bucks a month. if you get sued one time. For accessibility, it's $20,000 on average, plus probably another five For an attorney to take a look at it for you, 25,000. That's on the cheap end, right? Like we're talking about companies attorneys for some of these companies you're gonna run, like Leah, the companies you work for, man,
You're talking 200 for sure, but on the low end it's 40 years of a climb subscription. You know, it's like what is the ROI that I, think about when someone says the cost of compliance is too high, there are tools available. I think number one is a lack of awareness that these things exist.
And then number two, lack of Awareness that there's a lot of compliance [00:29:00] tools in the market that can be helpful, that aren't going to break your bank. I empathize with, especially like startups because climb. Was a startup. it was, a couple of people for a while, you know, and now it's not, but, I empathize with the co I looked at every penny we spent for a very long time.
And that segue is a good question. You know, when you're startup and when you're starting to create your company or even just growing, when's the best time to get climb involved? Is it immediately, should it be part of kind of your business strategy to get 'em involved?
And before you create your website, your strategy, or is it, hey, let's figure something out and then get these guys in and see what needs to get fixed. I think it should be part of your tech stack from day one. Just because again, think about how catastrophic a 25,000 to 50,000, a hundred thousand dollars penalty or fine or lawsuit could be to a startup.
Like you're just starting out. You would get sued on day two, and that's your profit for the year, right? but if you take, an ounce of prevention [00:30:00] approach and you apply climb the starting plan is $49 a month. You can do that early on, you can integrate it and also as your business changes, climb can change with you.
So we actually scan your websitecontinuously. If you are making modifications, we'll make suggestions. You know, there's all the things that we can do to Be a longer term partnerbusiness evolves. Maybe you go multi-state, maybe you need to make changes.
you'll have this implemented from the beginning . Phoebe, like if someone came to you and well, I'm a doctor. I don't really care aboutmy HIPAA obligations for the first six months, I'll figure it out that same kind of thing. Right? why would you take that risk when the cost of compliance is so low.
When you compare it against the cost, the expense of noncompliance, and again, anyone in healthcare, one of the worst things from just, let's leave aside the financial risk now. Like what about the reputational risk if you get sued in open court, there's some public records. Yeah. Like, and even if not, the word will [00:31:00] likely get around that you had some sort of violation, which you just don't want from a reputational perspective.
Now, is that reportable to boards too, Phoebe? Do you know? Like these kind of violations? technically, right? I mean, I could report you to the board for just about anything, right? 'cause you same thing. You know here, like you guys fall into professional services, so you have a moral oath to operate a certain way, which again, unfortunately, consumers can.
Do anything. I think the harder thing is how are you gonna justify that and get another job, right? How are you gonna go, Hey, I didn't actually pay attention to these things. And I think one thing that's really relevant for people too, that I always like to. Harp on a little bit, and it's slightly different than kind of like, you know, the HIPAA and, and a DA, but just in general how touchy marketing is in a compliance perspective.
And I think too often it's just like pushed under the rug of like, let's just go figure out a catchy phrase, or let's figure, let's say [00:32:00] what we want. Let's put this thing on our website. Let's market these ways. Like you've heard me, Leo, talk about, you know, the weight loss and how some of that stuff Oh yeah.
But from your perspective as a PC owner of a lot of these companies, this all falls in your bucket, bud. Yeah. Like all of this falls underneath you as this private practice owner who is supposed to ensure compliance end to end. Right? And so it's not just compliance on the clinical side. It really is like, how are you marketing?
Are you doing, an accurate representation of your clinical? Service and what's allowable. to me, I think there's more reputational harm that could happen by being affiliated with a company that is, you know, we've all heard it where they say like, there's, ghost doctors that, do all this stuff.
but how can you as a physician who's trained clinically understand what the rules are unless you have the right tools and the right people. That's why, like I always say As a PCO, you gotta make sure they have a compliance [00:33:00] officer. You gotta make sure they have somebody who knows what they're doing.
Otherwise it really is a little too loose for my liking. Yeah, no, this definitely wasn't in the curriculum for med school, right? No, There was no compliance class, entrepreneur class and echoing Phoebe's comment, You always say compliance officers and I think. Climb would be a good tool . Yes. There you go. Because again, like any part of it is like, and again I get told it every day where it's like, oh yeah, like We'll bring you in or when we are at this point we'll bring you in. And I'm like. Sure that's gonna cost you a hundred thousand dollars.
You know, to your point, gonna have to bring me in and we're gonna have to rework a bunch of stuff 'cause you built it wrong. Or you could start. Easy way, and the correct way, and build it all correctly around a framework of compliance, which nobody really listens to me when I say, but is what I will continue to harp on.
No, I've definitely been in companies that have, once the compliance question [00:34:00] comes up and undoubtedly they're like, oh, we're not following the rules. They've spent many, many man hours, right? It costs a lot more money. More than $40, $60 a month. To the ship, and a lot of times it's hard to the ship 'cause you're ready too deep, right?
You're ready too deep in your workflows, your processes, your marketing, so forth and so on. well, I mean, let alone, just even the required forms that you have to have on your web a terms of service, a privacy policy. I mean, those are things too that are like, you're gonna have to pay for that regardless.
You might as well, have the right tool. And I think the way that you're able to kind of do it, you know, digitally, makes sense. Yeah. Yeah, that's right. And also the other part about this is, my guess is that a lot of healthcare providers have probably outsourced some of their website building functionality to a third party, website design firm,
We work a lot those, [00:35:00] and they're primarily marketing focused, which is great. But most of them, when we talk to 'EM initially, they don't necessarily understand the regulatory framework. And that's really putting their customers at risk.
Right. And so specific to the healthcare vertical, a lot of times the doctors or whoever's running that office is gonna think oh. I have somebody managing that for me. They have to know what they're doingthey may think that they're outsourcing regulatory those requirements, but most of the time it's not actually being done.
And if it's being done, it's not gonna be done properly. Yeah. And I think most of the time the doctors don't know to that question. Yeah. Yeah, for sure. You know, it's what we don't know, Right. I've been in a lot of meetings where it's like, Hey, how can we use our marketing tools you know, the website so forth and
How can we get, you know, more patients more business? But I don't think I've ever heard anybody bring up the whole, Hey, is this compliant? Are we doing the right things? Are we following the rules? So that's kind of scary on my end 'cause Yeah, we don't know what we don't know. And I [00:36:00] think, you know, not knowing to ask this question.
It kind of lead to big negatives And a lack of awareness is not gonna be a defense when it comes to any of these kind of lawsuits or violations. Right? Like it's, I can't go up and be like, oh, I didn't know, I'm sorry. That's right. and again, even if you remediate after the fact, you're still subject to the financial penalty part of that.
it, that's the thing about, there's no real time for remediation for these things. It's like, Hey, you did this. You're on the hook financially. No, I mean, I think, to your point, Leo, I think this is where it's really important. I know everybody makes fun of me. I feel like it's a constant joke not in my face, behind my back.
What's the difference at this point? But again, one of the interesting things is like in this industry. it is more and more, taking, front and center. And I do think the telemedicine industry is going to be, my hypothesis next year is all these companies [00:37:00] doing ai, having AI chat bots, doing these very interesting marketing techniques.
I think they're going to be in for a surprise when, it's not just that there's a DA fines, but there's gonna be FTC fines, there's gonna be all these fines that are coming, um, because they didn't take the time to look at the rules. I think you said this when we first started this, and you know,
you already see, telemedicine getting clamped down. I think it's only the natural progression that this is kind of the next step. As things trickle down and the market kind of settles right? people are just catching up. we're just getting over the whole COVID thing and getting settled and actually, getting to define what telemedicine is and the rules.
And now the rules are being enforced. I think I agree with you. It's gonna play front and center and this is gonna be more important. Here's another thing to think about. Show me the incentive. I'll show you the behavior, I like that saying That's a good one, right?
[00:38:00] most of these governmental agencies need money. So if I need money, I'm gonna go try to find new revenue sources. in California, for example, last year the office attorney general got a $20 million allocation to go pursue privacy violations. So that's just one state.
And how much of an effort can they bring with that money? I think a lot, right? And so I think you're see a lot more widespread. Regulatory fines and penalties from the state level, and I think also with the changes to accessibility requirements from HHS, I think you're gonna see a lot more enforcement there as well.
I think 2026 is gonna be. A year where we see increasingly elevated enforcement at a variety of levels, which again, a lot of organizations just aren't prepared for because they've not taken some of the very basic stepsfor compliance. that [00:39:00] was always like, when I was regulating, one of the policies I was actually over, which is kind of funny, was the sanction policy back in California.
we didn't have regulatory authority to actually sanction health plans. so I got to work on the whole regulation package and it's like now you look at how California makes a lot of their money is sanctioning health plans. You don't do a notice correctly.
and this is something else too, and this is taking a little tangent, but bear with me for a second. A lot of the ways that these regulators are gonna come after you too, as you think about it, is not just, oh, we're gonna find you $20,000. Some of these are per occurrence. So one of the big things was health plans had to send out paper notifications.
It's a Medicaid rule. It's for parity, Per occurrence. So if they're seeing 10,000 patients a year, it does 10,000 occurrences. Yeah. So it's a per occurrence violation. I saw health plans that didn't wanna do something because, that was the, what [00:40:00] the rule said they were gonna do it a different way or they didn't do it within a certain timeframe and they were being fined $8 million because it just compounded.
You have a million members and you were supposed to do this thing and you got violated $200 per, act of non-compliance. That's the level that it gets to. And so again, when people think about, oh, I'm just gonna take the risk, I don't think they look at those nuances too from how we, internally would.
we're gonna look at some data. We're really like, we're gonna come after you where it hurt. Most of these specifically privacy laws are also per incident, right? or per consumer record. So in California it's up to a maximum of $7,500 per consumer record. That adds up very quickly.
The if I'm a politician, I don't wanna raise tax rates, I wanna find revenue elsewhere, right? I'm gonna lose my seat, whatever that is, if I raise tax rates. But if I can do these through these secondary avenues, these almost phantom taxes that are more of [00:41:00] regulatory fines and penalties, that's a way for me to generate revenue without any kind of really public, dissatisfaction.
Even like the pub you, you'll probably get. Public benefit from that because you're showing that you are enforcing, the law, which most people appreciate. Right. So I think here it's a revenue generation tool. You know, it took Europe three or four years to really get that accelerated. Now that these privacy laws been on the books for three or four years, we anticipate a similar acceleration in the US now.
Yeah. Sounds very interesting. Very, very interesting. we are headed into time. I wanna be respectful of your time, but I think. it would be great if we could talk more about this and, you know, kind of updates and stuff and hopefully get you on on a regular basis, if you don't mind. I know Phoebe would love it too.
Talk in compliance. she gets, so one of the doctor talk, I'm so like on an island by myself all the time because there aren't a lot [00:42:00] of people who. Truly like, understand this space and actually like respect it. And so for me, I tend to talk to a lot of people who, like they say they care and then like when it comes time to actually execute, it's like, yeah, we're gonna actually ignore that rule.
Like we're gonna not get an EHR. And I'm like. Yeah. No. Look, I'm happy we did kind of like a broad stroke, 30,000 foot view. We talked about a bunch of these. Yeah. Deep dive, like we can deep down about aada a we can deep dive about privacy. Any of those things you guys are looking for whatever your listeners want, like that.
I'm happy to talk about it. And I think they'll eat it up. just even listening here, honestly, it gives me the cold sweats. Because there's a lot of things, as a PC owner and hopefully an entrepreneur just starting up I haven't asked.
And it's gonna fall on my plate as the practice group owner. sometimes the companies, when it comes down to it. point to me, you're the compliance guy. you're supposed to do this. So, I think it's very, very useful for our listeners to be aware of what they don't [00:43:00] know.
The first thing they teach you in law school is that ignorance is typically not a valid defense. and again, I'm using ignorance, but like the lack of awareness, what you don't know can really harm you. In a variety of different ways.
and thank you for educating us and looking forward to more of this deep dive. this is a great topic and understanding is gonna be key. privacy laws are gonna increase.
regulations are gonna start getting enforced. Thank you. Last thoughts before we go? one last kind of, nugget to partake to.
I think like one additional nugget would be that you are never too large and you're never too small. To take this seriously or to get started. And if you don't know where to get started, please visit, our website, it's www.clm.io. We have support.
Just drop us a message in the chat. We're always here to help. and again, we work with. Some of the smallest companies in the world, like sole proprietor. And then we also work with [00:44:00] fortune 1000 companies, right?
And that's important for us because we want to provide a scalable technology to serve both of those markets, but it's never too late to get started. If you have not heard of this before, or if you have, but you've done nothing about it. a year ago was the best time to make the choice around this.
Today is the next best time, right? So it's like, get started, get some momentum, get these compliance practices in place. you may not be able to mitigate the prior risk, but on a go forward basis, you can do so. it's all about educating yourself, staying informed. what's the saying?
Nobody likes surprises. so it's just try to educate yourself a little bit on these things. Indeed. Awesome. Thank you so much again, that's cl y m.io that's right. For climbed. And if you have any questionsdefinitely email us phoebe@telemistalks.com.
Leo telemis talks.com. Thank you for joining [00:45:00] us and, and Michael, hopefully we do get you back on and get in the weeds of things that we really need to be aware about. So thank you so much for your time. I totally appreciate it. Thanks the opportunity. I appreciate it. Awesome.
adding on to, you know, your piece of advice, getting this started, you know, a lot of the times one of the big speed bumps is it's too hard, right?
Um, really, is it worth the squeeze? How simple is this to get it going? Great. Great question. this is a really big deal to climb. So when we started, I'm an attorney. I'm not a developer, right? So we have an incredible team of developers at Climb that are working on the technology, but when we started the company, I said, someone who is not a developer, needs to be able to get up and running and implement climb, in a very brief period of time.
Usually the feedback that we get from our customers is that in about five minutes, and again, this is the first time they've ever seen climb, but about five minutes they can register and [00:46:00] they can implement, climb, into their tech stack, into their website, So if you can copy and paste, you can get set up and running with climbs default settings.
Now we have default settings across 160 different regulations, right? So you are out of the box pretty much ready to go. If you then wanna customize things you can do so to your heart's content. But again, we wanted to make this super easy because we know that compliance is hard in many cases, and it's that fear of being challenging that prevents people from getting started because they think they need to climb a mountain.
All they need to do is copy and paste to get themselves up and running with the default settings with climb. And again, you can then customize it if you want, but we wanna make it as easy as possible for people. Yeah, no, that sounds super easy. I know doctors could copy and paste. We do it with our APIs all the time, so, but yeah, no, it would be one of my kind of hesitancy to be like, Hey, you know, I'm gonna implement this because I just don't wanna spend the time to figure it out or, fumble on it, so forth and so on.
So it's very [00:47:00] reassuring that, you know, it's easy as copy and pasting my HPI to patient. That's awesome. Thank you so much for that.