LIVE From the 2024 Medical Spa Show: Spotting The Legal Red Flags

May 1, 2024

In this episode, hosts Brad and Michael take the Legal 123s with ByrdAdatto on the road to the 2024 Medical Spa Show. Tune in to this live recording as we share medical spa stories fit for Sin City. From the importance of solid workplace policies to the pitfalls of influencer marketing and a QR code redirect gone wrong, each story provides you with tools to navigate the complexities of medical spa compliance. Dust off your “ding” button and get ready to spot the red flags with us.

Listen to the full episode using the player below, or by visiting one of the links below. If you have any questions or would like to learn more, email us at


*The below transcript has been edited for readability.

MC: [00:00:00] Welcome back, everyone. We are doing the Legal 123s with ByrdAdatto, Spotting Legal Red Flags. We have Brad Adatto and Michael Byrd.

Brad: So some housekeeping rules here. So this will be eventually a release of one of our live podcasts. If you have not found one of these near your seat, this is called the ding button. And so today it’s going to be an interactive process that we’re going to go through. We’re going to have three client stories that we’re going to go through and teach you how to spot certain things. But during these stories, we won’t be taking questions. At the very end, we are leaving time for Q&A. After this the podcast, we’ll have 30 minutes, all the lawyers here will be up here for another legal panel for Q&A, so just wanted to give you some of that.

Michael: And when we do get to the Q&A, if one of your questions is, are these seriously real stories that happened? The answer is yes.

Brad: So what’s going to happen is when we have conversations with clients, sometimes y’all start [00:01:00] saying things and we start spotting red flags, as we call it – something that’s like, eh, that’s a little suspect. And so we ding it in our brain that we need to talk to you about that. So today, we’re going to have you guys have your little orange ding sign, and as we’re telling stories, we’re going to start training you to start hearing it. So when you hear a red flag, what are you supposed to do, Michael?

Michael: Ding.

Brad: Right. So we’re going to try it out, everyone. So everyone grab your ding sign. This is interactive. If you can’t hold the ding side, you have to leave [laughs], but hold it up. Everyone get them up there. Hold them up. All right, we’re going to take a quick little picture. Everyone smile with your ding button. And if you don’t have a ding button, we have plenty. So, there we go. We’re good? All right, we’re good. All right, well, we’re going to get going now. And Kennedy, let’s queue it up.

Intro: Welcome to Legal 123s with ByrdAdatto. Legal issues simplified through real client stories and real-world experiences, creating simplicity in 3, 2, 1.

Brad: Well, welcome back to Legal 123s with ByrdAdatto. I’m your [00:02:00] host, Brad Adatto, with my co-host, Michael Byrd. And Michael, we are live at the Wynn in Las Vegas at the Med Spa Show, 2024. Michael, are you ready for another live episode in Vegas? Woo. Vegas. Vegas. Woo.

Michael: I’m ready. Brad. Before we get too far into today’s show, I first want to ask some questions to our audience. Who here has listened? And you can raise your ding button to answer. Who here has listened to the Legal 123s with ByrdAdatto podcast?

Brad: Oh, this is awesome, man. We’ve gone from three fans to 10. This is amazing.

Michael: Yes, yes. And I don’t see your mom in the audience, our number one fan, so we’re crushing it, Brad.

Brad: That’s so good. Okay, Michael, well, I’m excited to be back here in Vegas at MSS 2024. I mean, can you believe this is the sixth year of the show?

Michael: Okay, Brad, your math is, we know is not your strength. I’m a lawyer. This is the seventh year of the Medical Spa Show.

Brad: [00:03:00] No, no, no, no. The first year of MSS was 2019. It was the Aria Resort and Casino. This year is 2024, Math – sixth year.

Michael: Well, you are right about part of it, but you’re so wrong about another part of it, Brad.

Brad: Well, please explain. Okay.

Michael: Well, the first MSS was at the Aria, but it was in 2018. You just don’t remember it.

Brad: No, no.

Michael: I think we have a logo that would approve.

Brad: No, that’s not possible. I have a steel trap memory like an elephant, Greg. I mean, Mike, I mean, I remember every MSS, maybe.

Michael: You’re losing it, man. First my name is Michael, not Mike or Greg. And second, in 2018, you did not attend MSS because you were too busy with some family function.

Brad: Well, in my defense, the family function in 2018 was my baby. My daughter was in a New Orleans ball that same weekend, that same night. So, I mean, how could I not be at this really cute moment?

Michael: Audience, don’t fall for it. This is Brad’s trick [00:04:00] to soften you up to make him more likable. And it works. It works.

Brad: All right, Michael. So since I missed the MSS prequel, what was it like?

Michael: You mean the first MSS show?

Brad: Tomato, tomato, it’s all the same.

Michael: Okay. Well, show me your ding button if you were here in 2018. Okay, we have an OG or two. Okay, well, it was a lot different. So it was the first show, it was at the Aria, and you were in the planning part. I remember that. We were like, we got to cap it at 500, but we were all like praying for a couple hundred to show up because it was the first one, and we didn’t know what the outcome was going to be. And it was crazy. They were having to turn people away because we hit the max of 500. And there were even exhibitors who weren’t exhibitors that were sneaking in and leaving brochures [00:05:00] on tables. And so, you really missed out, Brad. Yeah.

Brad: Yeah. All right. So you are in Vegas, and I’m not there to shepherd you and Jay from getting out of control. So tell everyone all the crazy things y’all did without me.

Michael: Well, I think I stayed up till like 10:30 one night. And I played some tennis. Yeah, pretty much like what I’m doing this time around.

Brad: That sounds so Vegas-like. Yes. You know, there is a rumor that you and Jay were invited to – y’all went to an exclusive club in Vegas where people who dance with their skills, they get dollar bills. Any truth to that?

Michael: Absolutely not. But at one of the kinds of introductory parties Jay and I, I mean these poor AmSpa members did not realize they had the wrong target audience, but we were invited to join them at a show. The show was, I don’t know if y’all remember, Thunder from Down Under. [00:06:00] We didn’t go.

Brad: Oh, okay. Well, yeah, it is Sin City, so hopefully they had fun even without you and Jay. Now Michael, we have this great live audience. What are we covering today?

Michael: Okay. Well, as a business and health care law firm, we are sometimes triggered by certain buzzwords our clients will say in conversation. We know that there’s a potential disaster when we hear these words, and we are immediately on high alert, they are red flags.

Brad: So our first vocabulary word is red flag. And according to, and obviously we have to trust it, a red flag is either a little warning or a figurative form. Like your ship is sinking red flag, right? So today’s show, we’re going to incorporate some of the fun that we have with these red flags. So, whenever you hear a red flag or when we hear red flag, what happens? Michael?

Michael: Ding.

Brad: Wow. Good job. All right, now audience, you warmed up, so you kind of get a real good flavor of how to use this ding button. So, I’m going to tell a true story, and as I tell [00:07:00] the true story, I want you to start thinking about if in your mind, does this sound like a red flag, and pop it up there. All right, ready. True story. In Florida, ding, a physician who was not licensed in the United States, ding, was a medical director for a practice where they had a medical assistant who was providing injectables, ding. They had no Good Faith exam, ding, no supervision, ding, and if there was an issue, the medical assistant was supposed to call an RN, ding, who was on call to help out. How did we learn all this? Ding. We learned all of this, when an undercover police officer, ding, who went in there and arrested the medical director, the owner, ding, and the medical assistant, ding. So, there is an example of the dings. Thank you, Michael. You did a great job.

Michael: Yes. That should paint the ding picture, and our other real stories have plenty of opportunity as well.

Brad: Yes. All right, Michael. So we are in Sin City. The audience, you might start seeing a pattern here with some of these stories, but again, these are fun, but true stories. Not always fun [00:08:00] for the other people, but fun for us to learn about later. So we’re going to start off with the first story. The first story is a young plastic surgeon who the senior physician recruited. They really liked him, they loved him, and this plastic surgeon we’ll just call Dr. Hugh Jackman.

Michael: Ding. First Brad, giving this doctor the fake name of Hugh Jackman is a cheap way of trying to bring the Australian actor into reference this Thunder from Down Under, comment or story that we’d started with at the beginning. You’re better than that man. I’m so sorry. The second ding is that this is a red flag show, and that doesn’t really sound that much.

Brad: All right. Hold on, hold on. Looks can sometimes be deceiving. I’m mean, obviously the doctor’s a good-looking man, right? So this plastic surgeon had a very busy practice and he was located in a different site than the main office, so he had a satellite office away from the main group. And suddenly, Dr. Jackman, he started speeding through clinic days at the satellite office.

Michael: Ding. Oh, I’m not sure. I mean, is that a ding or not? [00:09:00] What was the reason?

Brad: Well, at first it was unclear as to why Dr. Jackman was seeing the same number of patients. He was just doing it faster.

Michael: Maybe he was learning to streamline his clinic days.

Brad: Perhaps. The behavior of speeding through clinic days actually started to accelerate to the point where Dr. Jackman started to cancel clinics prematurely or even limit his clinical days.

Michael: Ding? I’m still uncertain if we’re at a ding moment or not. Limiting clinic days is not necessarily bad if he’s increasing his surgical days, but I’m dinging just to be safe because I know you.

Brad: So finally it started to rise to the point where Dr. Jackman would just close the clinic early just send his staff home without much notice at all.

Michael: Okay, that’s a definite ding. This is starting to sound like there’s something going on here when you’re starting to send staff home.

Brad: Well, in one of these occasions, Dr. Jackman closed the clinic early, and in doing so, one of the members of his team, Nurse Kidman, forgot her personal items and returned back to the office.

Michael: Okay, well ding, you [00:10:00] bring in another Australian in, Nicole Kidman, and I’m afraid to ask what she learned.

Brad: Well, she did walk in, she came through the back door, the staff typically goes through and she noticed that most of the clinic was shut down, so that was fine. She was heading over to the break room and noticed that the lights in the waiting room were still on. And she saw that Dr. Jackman was using the patient computer located in the waiting room.

Michael: Why is there a computer in the patient waiting room?

Brad: Well, this practice had carved out a little area where the patients could show up and enter in there to protect their health information and directly put it into their EMR system, and therefore they had PCs in the waiting room.

Michael: Okay, I’m dinging you to protect the audience because I’m really hoping you’re not trying to build up to a HIPAA story because a HIPAA breach, while that could be a red flag, it’s not great for a live audience.

Brad: Okay, we’ll just wait for it then. Well, Nurse Kidman did not see Dr. Jackman entering HIPAA information into the waiting room PC, in fact, he was streaming porn. [00:11:00] And let’s just say enjoying what he was watching.

Michael: Oh, double ding.

Brad: Yes.

Michael: Well, Brad, thanks for making all of us feel uncomfortable. I’m starting to think that there’s like a Cinemax movie going on here, something. I’m afraid to ask the next obvious question. But what did Nurse Kidman do?

Brad: Actually, this is very true, and this is not based on a story a friend once told you in college. Nurse Kidman obviously left the building, was disgusted as to what she just saw because of several reasons. One, she did not believe what she just witnessed. And two, this was her immediate boss, and now she obviously knew why was he closing the clinic early. But she was really scared because she didn’t know what she’s supposed to do. Does she report him? Can she be fired if she does report him? And if he’s fired, he’s the only doctor that supports this satellite office. So [00:12:00] honestly, Michael, she was just in a real pickle.

Michael: Ding. And by the way, ding, this Australian thing, Dr. Jackman. Seriously?

Brad: It’s just his name [laughs]. It’s just his name.

Michael: You had to go there. Okay, let’s move to the law portion of this story before you finish.

Brad: Alright, Michael, let’s talk about the law and the risk of reporting your immediate boss for an HR violation.

Michael: Well, I’m dinging you for pulling in some fancy word like hr. For those who don’t know, HR means human resources. Human resources focuses on managing an organization’s most valuable asset, its employees. HR’s core function is to have the necessary resources for their task and foster a positive work environment for the employees. They handle a ton of different responsibilities from recruiting, benefits, training, and on occasion employee complaints.

Brad: Good catch, Michael. And I think we need to add one more vocabulary word to this conversation, the [00:13:00] EEOC, what is that?

Michael: I’m actually dinging you more than this story, I think, for putting this on me to do the vocabulary order. So the EEOC stands for Equal Employment Opportunity Commission, which can be a state or federal agency that administers and enforces civil rights laws against workplace discrimination and retaliation claims. But basically, it’s where employees file complaints no matter the potential issue.

Brad: Good job, buddy. Perfect. Now that we established these two really important vocabulary words to today’s story you know, HR and EEOC, what option would Nurse Kidman have understanding those two things?

Michael: Well, let’s start from the employer’s perspective. So hopefully the HR team provided training or general oversight on the policies in place to Nurse Kidman so that she would know what to do on a situation like this.

Brad: Yeah. And when you’re talking about the type of knowledge of actual [00:14:00] workplace policies, what are you talking about?

Michael: Well, the most common is the employee handbook. And so you want an a living handbook that is actually what the practice follows, and something that Nurse Kidman was aware of beyond just signing it the day that she was employed. But it can be in other posters or other training. There’s any number of ways to kind of implement policies of the business for employees.

Brad: Yeah, that’s a good point. And we always tell our clients, look, you should be constantly reviewing them, making sure your policies are up to date, that they make sense, and then obviously training them as Michael just said. And this will obviously help reduce the risk of what we call unfiled internal complaints because the employee doesn’t know how to handle an HR issue. If the employee doesn’t know what to do, obviously they sometimes seek outside counsel, they can result in an EEOC complaint or every employer’s favorite – lawsuits.

Michael: Ding. No employer [00:15:00] likes lawsuits. Oh, additionally, no employer likes these types of complaints to hit the public view. It’s not good for business. In this story, it’s worse because her actual boss is the person causing the compliance issue. And so, it adds drama of like, who does she speak with internally? So, you know, what happened?

Brad: Well, lucky with this practice, they actually had a very active HR group and they worked with a wonderful and handsome attorney.

Michael: Ding. You just had to add yourself to the story.

Brad: I never said it was me, but thanks for the compliment. Nurse Kidman did go to HR and talk to them about all her concerns. The HR did do their job. They, they handled the situation in a very professional way, not surprising probably to anyone in the room. Dr. Jackman had many personal demons besides his porn habit and actually did enter rehab. Now, believe it or not, this story happened about a little over a decade ago. And now Dr. Jackman is sober. He’s actually a well-known plastic surgeon, and [00:16:00] now he’s a partner at that same plastic surgery group. He actually has credited Nurse Kidman for reporting him and helping change his life. And believe it or not, Nurse Kidman is still with that same group, but she’s now in an HR role.

Michael: Nice twist. Alright, let’s move to story number two. You ready?

Brad: I’m ready.

Michael: Okay. Our second story today deals with a dermatologist. She’s in a thriving medical spa. Her name is Dr. Kate Blanchet.

Brad: Oh, ding. All right. You’re doubling down on this thunder down under reference. Yeah, but I actually like it. I’m going to take that ding back.

Michael: As the expression goes when in Rome. Plus, Dr. Blanchet is royalty in the medical spa arena. She’s a doctor’s doctor and is known throughout the country for her work in aesthetic medicine.

Brad: Okay. Cool. You may proceed, sir.

Michael: Okay. Dr. Blanchet was old school in her ways and often worried that she was being left behind by the modern medical spa.

Brad: Yeah. I’m just going to [00:17:00] ding you on the word modern, I’m not sure exactly where you’re going here, but there really isn’t an old aesthetic treatment. I mean, it just hasn’t been around that long.

Michael: Yeah, fair point. Dr. Blanchet was actually cutting edge when it came to the procedures themselves. She was a KOL with industry and was on top of the newest and greatest treatments. She was a little behind in marketing strategy. Actually, you and she may be friends on MySpace.

Brad: Oh, she’s my one follower. That’s awesome.

Michael: Yes. So she was approached at a conference by a nurse known in the industry as a massive influencer. Even Dr. Blanchet, who was not on social media, other than MySpace, knew of this nurse practitioner. This NP it turns out idolizes Dr. Blanchet and told Dr. Blanchet that she wants to join her practice.

Brad: Yeah. I’m just going to ding you because I’m now suspicious of your story and I feel like you’re intentionally not sharing the NP’s name.

Michael: Did I not mention this? Her name is [00:18:00] NP Kardashian.

Brad: Ding. Alright, your first ding is first bringing a non-Australian into today’s story. Nothing wrong with America, love it. But ding on the – are you using NP Kardashian because is she an influencer?

Michael: Yes, Brad, she is. NP Kardashian had a crazy number of followers. She joined Dr. Blanchet and the practice skyrocketed overnight with this dynamic combination.

Brad: Okay. And I’m curious, so as an NP, what was she famous for? Was there certain procedures that maybe she did or something like that?

Michael: You can say that.

Brad: All right, I’m dinging him. I don’t know if y’all should be ding him either, but I object to your vague answer, sir.

Michael: Well, let’s just say that Dr. Blanchet should have asked a few follow up questions during the interview process. It turns out that NP Kardashian became famous for her videos that she made of herself.

Brad: Yeah. Well, hold on, Michael. I’m not going to ding you for that, but you said she was an influencer, and even I know that it’s extremely normal for them to post videos. I know influencers use something called TikTok all the [00:19:00] time, so I’m actually not following this issue.

Michael: You’re making some assumptions about TikTok. Did I forget to mention the social media site that she was using?

Brad: Yes. And ding, because now I’m very nervous as to what you’re about to say.

Michael: Well, I’m not sure if you’re familiar with it, and Dr. Blanchet was not, but it was called OnlyFans.

Brad: Oh, ding. Ding. Ding. Michael, I don’t know if we need to go further in this site. Let’s move on to the law portion of this.

Michael: Okay, here we go. The problem is that Dr. Blanchet found out about NP Kardashian’s posting career when overhearing patients in waiting room.

Brad: Ding. Oh, yeah. That’s a bad ding. What a way to learn what her star employee was up to. What did she do?

Michael: Well, she called me wanting to know her rights. I said, it depends. And then I would really need to see the video myself to better understand the options.

Brad: Ding. All right, look, we all know Michael now, we know Mr. I’m not attending Thunder Down Under, there’s no way. You’re too straight laced. There’s [00:20:00] no way you asked her that question.

Michael: Fair. But I did think it would be really funny if I asked her that question, but I didn’t know her well enough to see how she would react to my 13-year-old boy sense of humor.

Brad: Yes. And ding for letting everyone in the room know that we’re have maturity levels of 13-year-old boys. But seriously, what did the doctor do? What were her legal resources in this situation?

Michael: Yeah. So, and Pete Kardashian had executed an employment agreement with Dr. Blanchet’s medical practice. And as part of the employment agreement, it noted that by damaging the reputation of the practice, she could be terminated with cause actually.

Brad: Well, that’s an interesting question. By posting on OnlyFans, is she damaging the reputation of the practice?

Michael: Well, in Dr. Blanchet’s mind, she was damaging the practice’s reputation. And it’s a fair question because these types of clauses can lead to litigation on what is damaging the reputation. But oftentimes it is at the [00:21:00] discretion of the employer, and something like this would probably qualify. Although Dr. Blanchet was known for being cool in the aesthetic industry, having one of her employees well-paid and well-known for posting her assets on a website for all to see was upsetting to her. However, Dr. Blanchet really liked NP Kardashian that she was a great employee and injector.

Brad: All right, so let’s keep moving Michael. What happened?

Michael: Well, ultimately, even though Dr. Blanchet believed she did have the right to terminate the relationship based on these outside activities and the negative impact on the practice, she decided to speak with NP Kardashian on her use of the site. And I walked her through all the options and how to have this hard conversation with NP Kardashian. And they ended up having a great conversation. And the NP Kardashian agreed that she loved working with Dr. Blanc yet, and did not mind turning off [00:22:00] her OnlyFans page.

Brad: Well, I actually didn’t see it going that way, but I’m glad it did work out. Now, Michael, since we have the smartest man in ByrdAdatto here in the room, and he’s a podcast series regular, why don’t we have Jay come up here and tell the last story of the day?

Michael: I agree. Maybe he can help us in both being smarter and more mature.

Brad: Yeah, Michael, don’t ask the impossible of him. That’s way too big of a ask for even Jay.

Jay: All right. Hey guys, how’s it going? Good, thanks. My invitation didn’t get lost in the mail this year, so appreciate that. All right, you guys ready to let the dogs out?

Michael: I hope this story has nothing to do with PornHub or OnlyFans.

Jay: I make no promises. Alright, so our story today is about a pediatric physician and his creative marketing campaign. And let’s just call him Dr. Chris Hemsworth.

Michael: Ding. Now Jay’s got all the women picturing Chris Hemsworth working at Thunder from Down Under.

Jay: Hey, better him than Brad. [00:23:00]

Brad: That’s true.

Jay: So Dr. Hemsworth, he was looking for a new way to promote his practice. He had some expertise in ways that he could help children, and he really wanted to get that out there. And so, his idea was, let’s create this really dedicated website to what he could offer this particular special set of skills that he could offer to pediatric patients, and how to get this out to the community. And to get people to this website, he engaged a marketing company to help create brochures and literature and business cards.

Brad: Yeah. I’m going to ding you. Even to the old, gray haired guy up here that sounds like Dr. Hemsworth needs to get to AmSpa probably and learn about more modern marketing techniques. Only using brochures and business cards, that feels very old school to me.

Jay: Well, Brad, it’s not a today story. This was long time ago, so that was kind of normal back then.

Michael: It would’ve been during your prime Brad, so you should [00:24:00] relate to Dr. Hemsworth.

Brad: The eighties, huh?

Michael: Yeah.

Jay: So, on this marketing material, rather than just simply listing this website on it, the marketing company decided to use a QR code so that when people scanned it, it would direct them to this website.

Brad: Well, that’s great. And you know, since Covid, I think when we originally started, probably a lot of people didn’t know what QR codes were, but I’m assuming now most everyone in this room knows what a QR code is.

Jay: Yeah, and I mean, this worked great. I mean, he put it on the material, he started handing out these business cards, put all the literature and the flyers in hospitals and pediatric practices. It was just spread it out everywhere. And the QR code worked beautifully to send it to the website.

Michael: I’m sending a warning ding right now. I haven’t heard anything that raises a red flag, and I want to make sure you read this invitation about this being about helping people spot red flags.

Brad: Ding.

Michael: [00:25:00] Is there more?

Jay: Yes, gold star for Michael, of course. But first, we are going to have to skip two years into the future. So let’s take our time machine two years later after this marketing campaign.

Brad: This is awesome. We’re going to get some fun here. So two years – does that mean we hop into DeLorean with Michael J. Fox?

Michael: Ding. Okay, stop trying to make this podcast about movies. We’re not going to have side conversations on your Back to the Future references. Come on Jay, you can go forward.

Jay: All right. So a couple years later, Dr. Hemsworth gets a call from a local facility where he had distributed some of this literature, and they said Dr. Hemsworth, for the last week, parents of our pediatric patients have been trying to go to your website using the QR code, and they’re not making it there.

Michael: Ding. Let me guess. They’re redirected to a competitor’s page.

Jay: I’m going to say ding, because obviously the tone of this is not like [00:26:00] that, so no. Instead, when these parents were checking out this QR code and trying to figure out how his services could be of help, they were being redirected to a pornographic website, ding. And I’m not talking cinema soft core, ding, anything. We’re talking bad, bad, bad stuff.

Brad: Okay. That’s multiple dings. I don’t even know if we have enough ding signs in this room for that, Jay. What happened?

Jay: Yeah. I mean, it’s shocking to say the least. Like, he couldn’t believe that this was happening. He didn’t know what to do.

Michael: Dr. Hemsworth was able to shut it down, right?

Jay: Ding. Not exactly. So first, the staff immediately started calling the marketing company, “Hey, this issue’s going on. We need to talk to so and so who helped develop this?” “Sorry, so and so hasn’t worked here for over a year.”

Brad: Ding.

Michael: Ding.

Jay: Okay. So then, all right, what did we do? What do we do? Well, they ended up tracking [00:27:00] this person down, and they were telling her all about it. Like, what do we do? What do we do? And she said, well, first, this is probably just, the website got hacked, so why don’t you check that?

Brad: Yeah.

Jay: Well, they checked the website, IT did some digging. Website perfectly fine. It’s out there in the universe. No problem. Not an issue. So they went back to the marketing company and they said, “Hey, marketing company just shut down the QR code. The marketing company said, we don’t control the QR code.

Brad: Ding.

Michael: Ding.

Jay: See, what happened is, when they created the marketing campaign, they outsourced the development of the QR code to a third party and then just slapped it on the materials and distributed it, and that was it.

Brad: That’s a ding.

Jay: Yeah. Big ding. So because they hadn’t done any of that, and they didn’t have any control of that, Dr. Hemsworth team said, all right, we’re going to go straight to the source. We’re going to go straight to the QR code developer, and we’ll just get them to shut it down. QR code developer company didn’t exist anymore.

Brad: Ooh, ding.

Michael: Ding.

Jay: [00:28:00] So at that point, they turned to the marketing company, they said, what do we do? And the marketing company responded, “We’ll just go gather all the brochures and literature and take them off.”

Brad: Oh, dinging.

Michael: Yeah.

Jay: Not what you want to hear. They did more sophisticated than that. So they got an IT specialist to do some really good digging. And what they found was that this QR code link was being hosted on a server out in California. And so Dr. Hemsworth’s team reached out to them and they said, “Hey, you’ve got a website link that’s redirecting, here’s all our problems. Can you shut it down?” And their response was, “Well, absolutely, we can do that. We just need to get permission from the account owner. So let us call them and we’ll email them and politely ask them if we can do this.”

Brad: All right, I’m dinging you there. I can’t believe anyone at this point would have a polite conversation at this point.

Jay: Yeah, shocking there was no answer [00:29:00] to that request. So they knew that wasn’t going to happen. So while they’re sitting there waiting, they’re trying to figure out what in the world to do, they finally, finally, the IT person found the problem.

Michael: Well, I can’t wait to hear where this ended up going, but let’s kind of shift into the legal takeaways from the story before you give away the ending.

Brad: Yeah. And Jay, many people in this room probably have engaged third party technology companies. Talk about some of the legal considerations they should think about when they are hiring one of these companies.

Jay: Yeah, I mean, there’s two avenues of things that you really want to think about when you’re looking at outsourcing these types of things. One is data control. Making sure you have control over the data, ownership of the data, you have a process to get the data back because the last thing you want is that third party to hold your data hostage. And particularly with protected health information, it can be catastrophic. The second thing, and this goes to websites and outsourced media is, you want to be able to have access and control to [00:30:00] that at all times. As you see in the story, they didn’t. And those companies go in and out of business, you lose track of them. And if something like this happens, you don’t have the ability to go in. You’re not even the account owner or the account administrator, and so you’re really left powerless to have any control over that.

Michael: Brad, we talked earlier about HR and so talk about it from a personnel perspective.

Brad: Yeah, I think for everyone, just start thinking about it from three different areas: review and improve your access controls and do that regularly obviously, implement administration rights, and confirm ownership of sites.

Jay: Okay, Brad, I think you’re going to need a little more detail than that.

Brad: I was hoping you wouldn’t say that.

Jay: This is the Legal 123s.

Brad: Yeah, the Legal 123s with ByrdAdatto. On the review of and improve control regularly, think about this; you have people accessing your system today, they might not always be with you, right? So, if they’re no longer working with you, have you have a process to terminate their rights to your system, right? That’s the first thing. And if you fail to do this, they may, which we’ve seen before, take advantage of [00:31:00] the situation. So that’s one, right? Second one is, implement the administrative rights. So, when you do give someone rights, you probably should not give them unlimited rights to your system because if they do, they can cause more damage, versus someone who has limited access to your system. You should be very wary of when you’re granting rights, how much rights they’re going to have, and obviously ownership.

The ownership process is, renew those domain sites. As you know, that’s crucial obviously, to your online presence. And if you lose those rights, obviously you might lose your website, but your patients can’t find, they lose access to you. And then make then make sure you are the owner of those accounts. Becoming the account manager of those domains. Don’t assume, of course they will auto renew. So, calendar it or however you want to that process. This will help you guys stop from falling prey of those individuals that will hold it hostage, and you pay [00:32:00] them a finder’s fee or whatever else. But Jay, you’re better at this than me. So, what did I miss?

Jay: Just a couple of pieces to follow up on that. With the access control, you also want to have a process for when you’re terminating. You don’t want to just worry about it after you’ve terminated. You want to have a process to know how do you limit access? How do you monitor access during the time? Sometimes people know it’s coming, sometimes there’s a notice period. You want to have a really good playbook as to, okay, what are we going to do? How are we going to kind of limit or manage the control? Maybe it’s a temporary limitation on someone during a notice period. So, kind of think through that so that they don’t go in there during a period of time of transition and do anything to the data or steal the data. And then a really big important piece is having audit logs with respect to the access controls.

It can be really helpful to do audits periodically to see what people are accessing, how much they’re accessing. Why is this provider accessing things [00:33:00] at 11:45 in the evening when the business is shut down and they’re not working the next day? And it’s really important if people leave and you’re trying to see did they take anything? Did they download patient information? Did they copy charts? Did they send a bunch of templates to their personal accounts. These types of audit controls and audit logs can be really invaluable to kind of investigate what happened.

Michael: Okay. The question we’ve all been wondering; what ended up being the problem?

Jay: All right, so when they looked at the QR code link, they found that the underlying webpage for the link didn’t actually exist anymore. I’m not a tech person, so this is like hacker level stuff. We’re talking about, like Will Smith spy hacker type stuff. They set it up so that this QR code’s link would force the redirect to another server at this place. And buried within [00:34:00] that second server, there was a tiny little file, a random file that had been placed there that said, “Hey, if they ever come here, send them to this pornographic website.”

Michael: Ding, ding, ding, ding, ding.

Jay: So, it was bouncing around in this little file that had been embedded by some hacker was overriding everything and shooting them off to the pornographic website.

Michael: Well, if you’re not an IT person, I certainly, I don’t even know what to say to that other than that’s a massive ding.

Jay: Yes. And we had some not so nice words for the host saying, “Hey, this is what’s happening and you’re responsible for it.” They deleted that file within 24 hours, and the problem solved.

Brad: I am exhausted from the story. I just hope that no one ever tries to do that to my MySpace page.

Michael: Well, ding. Yes, Brad, I don’t think anyone’s ever visited your MySpace page, so you’re probably safe. And you brought it up again.

Brad: All right, audience members we [00:35:00] are actually going to go to a brief commercial. During this commercial. We ask you if you have questions about any of these three stories. Please go up to the mic since we are recording this. Or, if you’re asking for a friend who might have a red flag, you can ask for your friend at the mic too. So please line up, we’ll answer y’all’s questions.

Access+: Many business owners use legal counsel as a last resort, rather than as a proactive tool that can further their success. Why? For most, it’s the fear of unknown legal costs. ByrdAdatto’s Access+ program makes it possible for you to get the ongoing legal assistance you need for one predictable monthly fee, that gives you unlimited phone and email access to the legal team so you can receive feedback on legal concerns as they arise. Access+, a smarter, simpler way to access legal services. Find out more, visit today.

Brad: All right, we got our first victim. I mean, a person who wants to ask this question.

Audience member: So, for the [00:36:00] second story I assume the laws are different from state to state, so I know although it was in the employment agreement regarding if it’s tarnishing the reputation of the business. However, even though she’s covered in that aspect, wouldn’t she have cause for a lawsuit for like discrimination because technically that’s her personal social media?

Michael: Yeah, that’s a great question. So, and you, the way you asked the beginning does matter, like what state you’re in. So, California, for example, is extremely pro-employee. So, the argument would be for NP Kardashian is that this is my first amendment rights, freedom of expression, all that stuff. However, you do have first amendment rights, but a private business, that doesn’t extend to your right to work at a workplace is the normal legal answer. [00:37:00] But the real risk is going to vary state by state. Because if you’re in a, a really strong pro-employee state, there’s going to be empathy for what someone does in their private life, and does it really bleed over to the business?

Audience member: So, we’re in Texas, we can fire at will, basically. However, a conundrum, basically we had kind of the same situation just because we heard of what was on an employee’s social media page, we couldn’t do anything about it, unless if she friended us, which she so happened to do. So, since I was a friend of hers and I was able to see the negative things that were on there, that’s how we were covered, so it’s different loopholes. I was just curious how that second story, like could have played out. Like for us, we could have lost.

Brad: Yeah. So, states like Texas where you as employer, they’re at will – I mean, our recommendation on something like that would be saying nothing, except that it’s not working out and thanks for being with us. The less [00:38:00] you say, the more protections you have. The first Amendment issue that Michael brought up was something that we were concerned with, but it ended up working out at the end of the second story with Nurse Kardashian. But in states like Texas, the less you say the better. And if you say it’s just not working out, thanks for being with us, tomorrow’s your last day or today’s your last day. That’s the safest way to terminate someone for that.

Audience member: Sweet, thank you.

Michael: Yeah. And I’ll add that, a safe place for employers to go, we mentioned this in the story, is to follow your handbook. Like, what’s your process when something like this is out there if someone, like, let’s say an employee reported it to you; is this something that gives rise to doing an investigation under your handbook?

Brad: That’s a good point. It is twofold, right? If something like that happens, go back to your employee handbook. If you don’t have an employment agreement. And if you have an employment agreement, you look at the employment agreement first to see what rights you as an employer [00:39:00] have, and then secondarily, what rights override that just from the employee handbook side. Where practices do get in trouble is they just jump to conclusions, forget that there was a process they had either from a terminations, again, contractual rights, or inside the employee handbook and they just avoid it because they forgot they actually had one. Other questions for your friend? Are we that intimidating?

Jay: They’re shocked by our stories.

Brad: Yeah, they’re shocking stories. Trust us. When we were putting this together with our team, they were thrown off by it too.

Michael: We have another question.

Brad: Come on up.

Audience member: Two questions. We have a marketing company that hosts our website and we are asking them to give our independent contractor access, and they said no. How do we go about that?

Jay: What was the reason that they declined the access?

Audience member: They said that they have a bigger [00:40:00] platform and that they own it although they didn’t create it. We are not migrating to them when we switch companies. But now it’s like, how do we go about like, other than being a medical practice, that this is HIPAA and we have to have full control. And like, I’ve kind of like navigated it like, okay, let’s hold on and kind of have a strategy too. So, if they refuse, then what is our next step?

Jay: Yeah. So, the federal government – they have some good FAQs, and they specifically call out that business associates, people that have access to PHI and are performing a service cannot hold that data hostage. It actually creates a massive legal liability risk. So typically, in a situation like that where we’ve had that with a client where something’s being held hostage, we remind them very elegantly [00:41:00] of their legal obligation to release the data and give us complete access and control because otherwise they’re creating massive liability on themselves by holding that hostage.

Michael: And I want to add, like, there’s a greater problem with contracts with marketing companies. And so, the idea…

Brad: Not there’s anything wrong with marketing companies.

Michael: No, not at all, but you need to be aware as a business owner, when you contract to have a website done, we’ve had, what I’m about to say, countless conversations. What you’ve just shared with us, we’ve had countless conversations. And that is this, if you contract with a marketing company to develop your website and you don’t have some specific language in your contract, then it is considered to be owned by that marketing company. There’s a concept called “Works Made for Hire,” which is a legal term. And basically, you have to put in there that they’re developing this for you and that you’re the owner of that, and the marketing companies use [00:42:00] this for leverage whenever. The marketing company contracts historically are really, really strong against businesses, they may be like five-year commitments. They have this type of language in it or not in it, and so you know, it just gets really messy trying to work through getting the website back. And ultimately what they want is money, and that’s what they’re going to be.

Brad: Yeah, and to add to that – so one is, work for hire clause has to be in there. That means that you own the rights to it. And second is, if you’re not looking on the fine print, they’ll say, and they get to put their name on your website. So basically, they’re advertising on – you pay them to do something and then now they’re getting a free advertisement. So those are two things to look for in those marketing agreements. And to Jay’s point, because of the civil implications, they actually can be fined by the federal government for withholding. So, it’s not just like, “Hey, you can’t do this”, the violation, if it’s reportable to the office… [00:43:00] basically to the OIG basically, they can be fined by the federal government for holding it up, and so there’s teeth behind that law.

Audience member: The other thing is just a message to all you guys. When we set up a “Google My Business” the first time, I didn’t know that you have to claim it, so a competitor went behind me and claimed it and started messaging. Like when somebody gave me a review, they were like, “oh, your face is ugly, I don’t know why you are bringing me your money?” This went on for like months and its people that I knew in person. So, I went to them, and I said, Hey, this is happening. I know what’s coming from, can we stop it? They didn’t. And then it went on for like nine months. Eventually they hacked my Instagram, and we didn’t get it back. Long story short, we had to – they went Google, Facebook, Instagram, all the platforms. Eventually we had [00:44:00] to file a lawsuit, get a cease and desist and subpoena Google, Yelp. Miraculously, Google actually ended up releasing the identity, which matched the email and the phone number of the person who I actually knew in person who did the original hacking. And so, we ended up getting a restraining order. It took us 18 months to go through that. And then in court, the judge was like, “How do we know you’re not buying your reviews?” And we are like, “We actually fact check every patient review, we double check it.” So, someone like Teeny 123 Happy Turner” who is that person? And the judge made us actually like cross reference with the EMR, that this is actually a real person in order to come to the conclusion that this was actually somebody that was sabotaging the business. It can get crazy.

Brad: Yes. So, as you can see, these stories do happen. And even though the three that we had earlier sound crazy, crazy stuff like this happens more than you think. And I know we have a, another attorney in this room that handles a lot of those conflicts. He spoke earlier, Jeff Siegel, our partner with medical justice. These are the kind of things that do happen where people will try to hijack or drop fake reviews. And it’s just an unfortunate aspect. And I know that if Alex was in the room, he’d probably say the same thing as like, don’t throw stones. It doesn’t make sense. I mean, the market’s big enough that build up a great company. A lot of times great med spas will help be partnered in some capacity with the ones down the block, and that those who are throwing stones like that typically are, what we’ve learned over the years, are the most non-compliant ones anyway. But it’s not great for the industry as a whole because they’re pulling you guys down. And so, we’re not a fan of those kind of situations like that. But it Sorry, that happened to you. [00:46:00] So for those listening, she’s saying that they actually called the nursing board and the medical board on her too.

Audience member: The nursing board came in, the medical board came in, they’ve turned the business upside down, shaking every corner. It’s still happening even after the lawsuit. And I decided to settle. Stupid me, I settled too soon before the nursing board investigation concluded. So I settled because I’m like, this is draining. I got to move on with my life. I don’t want to just pay the legal fee so we can all move on. I settled and then two weeks later, this same doctor’s daughter decided to send another Instagram message to my DM, she’s like, “Oh you need to see… people have come to me that you are training aestheticians to inject Botox,” [00:47:00] and that illegal behavior has to stop or I’m going to report to the proper authorities. I’m a nurse practitioner, why would I train an aesthetician in California to inject Botox? But she’s not stopping. So, like, when people are after you, they’re after you. And I have five lawyers on retainer and I’m like, why? Like a civil, criminal to fight the hacking, and the cyber bullying. It’s crazy.

Brad: Well, does anyone want to follow that?

Michael: Thank you for sharing. Yeah, that’s very helpful for all of us to just know what’s out there.

Brad: Yeah. And it’s unfortunate and like we said, that’s why as much as you can getting control, obviously hackers are hackers and unfortunately, we’ve had many different stories of that happening over the years. But want to leave a little more time if you have any more questions. If not, we will up. Yeah, please go up to the mic please.

Audience member: [00:48:00] Oh, I’m too tall. It kind of goes along with what the NP just shared. I’m a new practice manager in Georgia. When I came in, our website was designed by this marketing company and that marketing company had an overseas company design it for that marketing company. And now I came in and I’m trying to kind of reverse that and trying to bring it to the US. I’m not going to say which country, but this country has the website and they’re not willing to let it go. So, I’m at a point where I need to redesign the whole thing and I need to get the whole domain registered, otherwise they’re really holding it hostage. So, when it’s involving overseas, is there anything that I can do from inside of the US or do I just [00:49:00] have to do what I’m doing right now?

Michael: Well, I would look first at your contract with the marketing company because that’s where your rights are. And what I’m concerned for, for you is that you may have a good or bad contract with this marketing company, and then the marketing company went and outsourced development of this website, and who knows what their contract with this foreign entity was. And so, it sounds extremely messy. I would, if you have rights under your marketing agreement, that’s going to be your best resources to hold the marketing company accountable.

Brad: Yeah, agree. All right. [00:50:00] Well, if there’s no more takers, we’ll take a break and we will have Alex Thiersch, Jeff Siegel, and everyone else up here. But Michael, any final takeaways for our audience before we leave for the day?

Michael: Is Thunder from Down Under on tonight?

Brad: I don’t think so. All right. Well, next Wednesday, everyone, we will be back in studio. We’re going to discuss icon man who is practicing as a dentist. Thank you, guys.

Michael: Thank you.

Brad: Thanks again for joining us today. And remember, if you like this episode, please subscribe, make sure to give us a five-star rating and share with your friends.

Michael: You can also sign up for the ByrdAdatto newsletter by going to our website at

Outro: ByrdAdatto is providing this podcast as a public service. This podcast is for educational purposes only. This podcast does not constitute legal advice, nor does it establish an attorney-client relationship. Reference to any specific product or entity does not constitute an endorsement or recommendation by ByrdAdatto. The views expressed by guests are their own, and their appearance on the program does not imply an endorsement of them or any entity they represent. Please consult with an attorney on your legal issues. [00:51:00]

ByrdAdatto founding partner Michael Byrd

Michael S. Byrd

ByrdAdatto Founding Partner Bradford E. Adatto

Bradford E. Adatto