Telehealth's GLP-1 boom: balancing obesity care with HIPAA and state consumer privacy laws

Reuters

a day ago

August 20, 2025 - Demand for GLP-1 agonists, such as semaglutide and tirzepatide, exploded in 2024 and shows no signs of slowing in 2025. It is forecasted that the U.S. market will top $30 billion by the end of 2025 aided by physical brickandmortar clinics and national telehealth startups that offer fast online consults and front door delivery.
The digital channel is attractive to patients as it allows for convenience and secrecy, including no waiting room, discreet shipping. As for providers, they can scale nationally. However, that same frictionless nationwide telehealth model magnifies privacy and cybersecurity risks.
Online GLP-1 programs necessarily collect sensitive health histories, biometric data (such as weight, blood glucose levels, and sleep patterns), insurance details, and payment information. With that collection most providers embed advertising pixels to fuel customer acquisition. When that data straddles HIPAAregulated and consumerapp environments, the legal landscape quickly becomes treacherous.
GLP-1 telehealth services almost always involve a "covered entity" (the clinician or pharmacy) plus multiple "business associates" (video visit platforms, fulfillment pharmacies, labs, and cloud vendors). Classic HIPAA safeguards therefore apply, which include encryption in transit and at rest, unique user IDs, role-based access, audit trails, and a written business associate agreement (BAA) with each vendor.
Two federal developments heighten enforcement pressure:
(1) Trackingtechnology bulletin: In March 2024, HHS OCR revised its 2022 guidance "Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates" clarifying that website cookies, pixels, and similar tools may transmit protected health information (PHI) when they identify a user as a patient, even if no appointment is booked. The Texas federal court decision, Am. Hosp. Ass'n v. Becerra, ---- F. Supp. 3d ----, No. 4:23-cv-1110, 2024 WL 3075865 (N.D. Tex. June 20, 2024), which vacated parts of the bulletin, created uncertainty, but OCR has reiterated that "regulated entities are not off the hook." The decision vacated only OCR's "proscribed combination" theory, that an IP address plus a visit to an unauthenticated health webpage is IIHI/PHII, leaving uncertainty about what, if any, other public-page interactions may trigger HIPAA duties when tracking tools are used. Because the rest of OCR's bulletin remains operative, especially for authenticated portals, and OCR continues to warn that disclosures of PHI to tracking vendors can violate HIPAA, entities must navigate unclear lines on public sites even as core obligations persist.
(2) GoodRx's settlement consequences: The FTC's Complaint against GoodRx sent shockwaves through the healthcare industry as it was the first time the FTC had sought to use the Health Breach Notification Rule (the HNBR) (and parallel Section 5 order) against a healthcare provider. 15 U.S.C. § 45(a)(1). The FTC's Complaint alleged that GoodRx repeatedly violated these promises by sharing sensitive user information with third-party advertising companies and platforms, such as Google, Facebook and others. Specifically, GoodRx shared user prescription medication information, personal health conditions, personal contact information, and unique advertising and persistent identifiers without providing notice to the users and without first obtaining user consent to the sharing. Worse, the FTC Complaint alleged that GoodRx's sharing this information allowed the third parties to make profit from the information and use it for their own business purposes, including by using the information to personally target the users with advertisements. The suit resulted in a $1.5 million fine and a multi‑year ban on advertising using health data demonstrating the significant legal landmines when mixing telehealth services with ad retargeting. With this, OCR has indicated that it will treat similar pixel leaks as reportable breaches under HIPAA.
In addition to HIPAA, 19 states, with more on the way, have comprehensive privacy laws in effect or scheduled, and several include "consumer health data" (CHD) that reaches beyond HIPAA.
Three statutes matter most to GLP‑1 telehealth ventures:
•Washington My Health My Data Act (MHMDA): The MHMDA covers any information "reasonably linked" to physical or mental health, including attempts to seek care, and those parts go into effect March 31, 2024 for large entities and on June 30, 2024 for small entities. The MHMDA also bans geofencing near abortion or gender‑affirming clinics and requires a signed consumer consent for CHD sharing or sale. The law also requires a signed consumer consent for CHD sharing or sale.
•California Confidentiality of Medical Information Act (CMIA): The CMIA covers "Medical Information" held by any business that offers a digital health service to manage a medical condition. As expanded by AB 2089, CMIA treats telehealth weight‑management apps as "providers of health care," triggering HIPAA‑like security, access, and disclosure rules.
•Florida Digital Bill of Rights (FDBR): The FDBR covers sensitive personal data, which expressly includes biometric and genetic data, and prohibits the offshoring of specific patient data and grants Floridians deletion, correction, and opt-out rights that rival those of the California Privacy Rights Act (CPRA). The FDBR also grants Florida residents deletion, correction, and opt-out rights, similar to those contained in the California Privacy Rights Act.
Both CMIA and MHMDA authorize statutory damages in the amounts of $1,000 to $25,000 per violation. Plaintiffs have already alleged that pixel deployments disclose "health conditions" (obesity) and "treatment" (semaglutide) without consent, and parallel class actions under CPRA's "unauthorized disclosure" theory have been filed in California.
Although GLP‑1s are not controlled substances, individual states regulate tele‑prescribing differently. Roughly one‑third require an in‑person visit before issuing an initial prescription, with Arkansas and Alabama tightening their rules this year.
The issue gets even more complicated when a prescribing clinician is licensed in one state, the patient resides in another, and the compounding pharmacy is also in another because each state's respective telehealth practice laws (and privacy statute) follow with the data, meaning providers must ensure they have robust credentialing workflows and conduct conflict‑of‑law analyses before doing business or taking patients in new jurisdictions.
From a privacy perspective, the shift pushes more patient data into electronic prescribing and REMS-style safety programs (Risk Evaluation and Mitigation Strategy), escalating HIPAA exposure. In response, it is recommended that telehealth platforms:
(1) Map your tech stack. Take an inventory of every system that touches patient data, including intake forms, analytics, coaching apps, pharmacy routing, SMS, and reporting and identify was is covered entity, business associate or neither. Build a data flow diagram as it you would have to provide it to a regulator.
(2) Minimize. For every data pathway on marketing sites and patient portals, disable non‑essential trackers by default, and negotiate "qualified service provider" status (with HIPAA‑style contractual limits) for analytics vendors that must remain;
(3) Update privacy notices. Update Notice of Privacy Practices (NPP) to reflect any new manufacturer datasharing obligations.
(4) Ensure vendor contract management. Reevaluate BAAs with compounding pharmacies that pivot to 503A, where prescriptions must be individually tied to a named patient. This may include adding contract indemnities for off label promotion claims that may surface in data sharing litigation with compounding pharmacies that pivot to 503A, where prescriptions must be individually tied to a named patient. This may include adding contract indemnities for off label promotion claims that may surface in data sharing litigation.
(5) Implement specific jurisdictional toggles. Because GLP-1 telehealth companies frequently market nationwide, they must implement specific jurisdictional toggles in order to ensure compliance, for instance, turning off cross-site tracking for state-specific IP addresses unless express opt-in consent is obtained.
(6) Pixel governance program. Apply an enterprise tracker inventory, run staticsite scans after each code push, and memorialize pixel risk assessments in HIPAA securityrule documentation.
(7) Dynamic consent flows. Deploy geolocation logic to trigger "affirmative written consent" dialogs and suppress the session until accepted.
(8) Tier vendors. Classify suppliers as HIPAA business associates, state CHD processors, or ordinary service providers. Flow down statespecific clauses, e.g., no "sale" or "share" of Washington CHD, right to delete Florida data within 45 days.
(9) Boardlevel metrics. Track monthly privacy Key Performance Indicators (KPIs), including number of tracker removals, PHI access exceptions, deletionrequest turnaround, alongside clinical outcomes.
GLP1 telehealth programs promise significant transformative benefits for millions living with obesity, yet the data they harvest is among the most sensitive in the digital economy. HIPAA remains the foundation, but a rapidly growing patchwork of state consumer healthprivacy statutes and federal enforcement actions dictate the contours of lawful virtual care.
The healthcare providers that succeed will treat privacy not as a backoffice compliance task but as a strategic differentiator to build patient trust through transparency, minimize data collection, and ensure rigorous vendor oversight.
Sara H. Jodka is a regular contributing columnist on privacy and data security for Reuters Legal News and Westlaw Today.