CMP
How to Build a Communication Preference Center for Opt-Out Compliance in Healthcare
Mar 4, 2026
Tyler Zey
Healthcare organizations send patient communications from a lot of different systems. Your EHR sends appointment reminders. Your CRM sends follow-ups. Your marketing platform sends newsletters and campaign emails. Maybe a patient engagement tool sends satisfaction surveys.
The problem shows up when a patient unsubscribes from one of those systems. That opt-out needs to be honored everywhere, not just in the system where they clicked "unsubscribe." If someone opts out of marketing emails but keeps getting appointment reminder texts from a different platform, you have a compliance problem and an angry patient.
This is coming up more and more, especially with California's privacy laws tightening the screws. We built our preference center to solve exactly this: one place where patient communication preferences live, synced across every system that sends messages.
Important Disclaimer: This guide demonstrates how you can configure Ours Privacy and is for example purposes only. It is not legal advice and does not constitute a recommendation for how you should configure your privacy setup. Regulatory requirements vary by jurisdiction and may change over time. Always consult your own legal counsel and privacy officers when determining compliance strategies for your organization.
Why This Is a Compliance Issue, Not Just a UX Issue
Most teams treat unsubscribes as a feature of each individual tool. The CRM handles its own opt-outs. The EHR has its own preferences. Marketing has its own suppression lists. That works until regulators come knocking.
HIPAA
HIPAA doesn't explicitly regulate marketing opt-outs the same way consumer privacy laws do. But it does require covered entities to honor patient requests around how they receive communications. If a patient asks to be contacted only by mail and not by phone, HIPAA generally requires covered entities to accommodate reasonable requests. When communication preferences are scattered across five systems, honoring those requests consistently becomes nearly impossible.
California (CCPA/CPRA)
California privacy law is where this gets sharp. Under the CCPA/CPRA, California residents have the right to opt out of the sale or sharing of their personal information. If your marketing platform shares data with ad networks and a patient opts out, that opt-out needs to be reflected in every system that touches their data. The law doesn't care that your EHR and your CRM are different vendors. It cares that you, the organization, honored the request.
The CPRA also introduced the right to limit the use of sensitive personal information, which includes health data. If a patient exercises that right, you need a mechanism to propagate that limitation across your entire stack.
Other State Laws
California gets the most attention, but it's not alone. Colorado, Connecticut, Virginia, Texas, and others have passed privacy laws with similar opt-out requirements. The trend is clear: more states are giving consumers control over their communication preferences, and the burden of honoring those preferences falls on the organization, not on individual software vendors.
The Core Problem: Preferences Live in Silos
Here's what the typical healthcare marketing stack looks like:
EHR/PM system sends appointment reminders, recall notices, and care follow-ups
CRM sends nurture sequences, re-engagement campaigns, and lead follow-ups
Marketing platform sends newsletters, promotional emails, and campaign blasts
Patient engagement tools send surveys, review requests, and educational content
Call center software manages outbound calls and SMS
Each of these systems has its own concept of "opted in" or "opted out." None of them talk to each other by default. When a patient clicks "unsubscribe" in a marketing email, that preference lives in your email platform. Your appointment reminder system has no idea it happened.
Building point-to-point integrations between all of these systems is expensive, fragile, and hard to maintain. Every time you add a new tool, you're adding another integration to every existing tool in the stack.
How to Centralize Communication Preferences with Ours Privacy
The solution is a single source of truth for communication preferences that every downstream system stays in sync with. That's what our cookie banner (CMP) and CDP do together.
The cookie banner includes a built-in preference center where patients manage their communication choices through consent categories. When a preference changes, the CDP dispatches that change to every connected system. Your CRM, your EHR, your email platform, your call center. They all get updated automatically.
Step 1: Create Consent Categories in the Cookie Banner
The Ours Privacy cookie banner includes a built-in preference center where patients manage their communication choices. The first step is creating consent categories for each type of communication your organization sends.
For a typical healthcare org, that might look like:
Marketing emails (newsletters, promotions, campaigns)
Appointment reminders (SMS, email, or phone)
Patient surveys (satisfaction, NPS, post-visit)
Care follow-ups (treatment reminders, wellness content)
Phone outreach (sales calls, re-engagement)
Each category maps to a specific type of communication. When a patient opens the preference center, they see these categories and can opt in or out of each one individually. The cookie banner stores those choices on the visitor's profile.
You can also capture preferences from other entry points. If a patient unsubscribes through your CRM or replies "STOP" to an SMS, use the server-side identify API to write that preference change back to their Ours Privacy profile. The cookie banner is the hub regardless of where the opt-out originated.
Step 2: Dispatch Preference Changes via the CDP
This is where the real value is. When a patient changes a consent category in the preference center, the CDP dispatches that change to every connected destination.
What you can do with this:
Update your CRM's suppression list when a patient opts out of marketing
Sync communication preferences to your EHR so appointment reminders respect patient choices
Update your call center's do-not-contact list in real time
Set platform-specific flags on ad platforms (like Facebook's
Is Limited Data Usageor Google's consent signals)
Use destinations and custom mappers to translate the preference into whatever format each downstream system expects. Your CRM might need a boolean field. Your ad platform might need a specific consent signal. Custom mappers handle that translation.
This replaces the mess of point-to-point integrations between every system. Instead of building and maintaining a sync between your CRM and your EHR, and your EHR and your email platform, and your email platform and your call center, you maintain one connection per system to Ours Privacy. The CDP is the hub.
Step 3: Use the Global Data Governance to Control Data Flow
On top of dispatching preference changes, use Global Data Governance rules to control what data flows where based on those preferences.
Block marketing data when opted out:
Condition: Patient has opted out of the "Marketing emails" consent category
Action: Block data to marketing destinations (Meta, Google Ads, email platforms)
Allow appointment communications when opted in:
Condition: Patient has opted in to the "Appointment reminders" consent category
Action: Allow data to appointment reminder destinations
Some patients want appointment reminders but no marketing. Some want email but not SMS. The cookie banner's consent categories let patients set those preferences, the CDP dispatches the changes, and the Global Data Governance enforces them across every destination.
What This Looks Like in Practice
A patient opens the cookie banner's preference center and opts out of the "Marketing emails" category. That change is stored on their visitor profile. The CDP immediately dispatches the update to your CRM (updating the suppression list), your ad platforms (setting consent flags), and your call center software (marking them do-not-contact for marketing). The Global Data Governance blocks any marketing data from flowing to those destinations going forward.
One change, one source of truth, every system in sync.
