Three months ago I spoke with the CEO of a telehealth platform that had scaled to 50,000 patients in under eighteen months. They were prescribing semaglutide and tirzepatide through virtual consultations, charging subscription fees, and growing faster than they could hire. When I asked about their HIPAA compliance program, the answer was what I expected: "We have a BAA with our EHR vendor." When I asked about their marketing pixels, the silence told me everything.
The GLP-1 prescribing market exploded because demand outpaced supply through traditional channels. Patients who couldn't get Ozempic or Wegovy from their PCP turned to online platforms that promised convenience and discretion. Venture capital followed the patient volume. What didn't follow was the infrastructure to handle sensitive health data at scale, and we're now watching the predictable consequences unfold.
The Speed Problem: Growth Faster Than Governance
Telehealth GLP-1 providers launched into a market with enormous pent-up demand and limited competition. The business model was straightforward: virtual consultation, questionnaire-based prescribing, pharmacy fulfillment, monthly subscription. Most of these platforms built on existing telehealth infrastructure, white-labeled EHR systems, and off-the-shelf payment processors. The technical stack came together in weeks, not months.
The compliance stack did not. In my experience, organizations that grow this quickly treat privacy and security as back-office functions to be addressed "once we hit scale." The problem is that by the time you hit scale, you've already made architectural decisions that bake in risk. You've already integrated third-party services without vetting their data practices. You've already deployed marketing tools that leak patient data to ad networks.
GLP-1 privacy risks stem directly from this speed mismatch. These platforms are handling some of the most sensitive health information possible—weight, BMI, medical history, photographs, payment data tied to specific prescription patterns—and they're doing it with the data hygiene practices of a consumer app, not a covered entity under HIPAA.
Where the Data Actually Flows
Most GLP-1 platforms don't just run a website. They run:
- A patient portal with questionnaire forms
- A telehealth video platform (often third-party)
- An EHR or prescribing system
- A payment processor
- A customer support tool (often a SaaS CRM)
- Email and SMS notification systems
- Marketing automation platforms
- Analytics and conversion tracking
Each of these systems touches PHI. Each one needs a Business Associate Agreement if the vendor has access to individually identifiable health information. Most of these platforms have some of those BAAs. Very few have all of them. Almost none have audited what their BAAs actually allow versus what the vendors are doing in practice.
Ad Trackers and the OCR Enforcement Pattern
In December 2022, the Office for Civil Rights issued a bulletin clarifying that tracking technologies on patient-facing websites can violate HIPAA if they transmit individually identifiable health information to third parties. The guidance was clear: if you're a HIPAA covered entity or business associate, and you use pixels, session replay tools, or analytics that send IP addresses, page URLs, or other identifiers to ad platforms, you're likely in violation unless you have a BAA and appropriate safeguards.
By late 2023, OCR had opened investigations into several major health systems. Settlements followed. The pattern became predictable: large health system, Meta pixel or Google Analytics on patient portal, no BAA, multi-million-dollar settlement.
GLP-1 telehealth platforms face the exact same exposure, but with worse facts. A patient visiting a hospital website might land on a generic "services" page. A patient visiting a GLP-1 platform is there for one reason, and that reason is evident in the URL structure, form fields, and conversion funnel. When that session data flows to Meta or Google via tracking pixels, the disclosure is unambiguous.
I've reviewed the websites of a dozen telehealth GLP-1 providers in the last six months. Every single one had third-party trackers. Most had Facebook pixels and Google Ads conversion tracking. Several had session replay tools that recorded keystrokes and mouse movements. None of the privacy policies I reviewed disclosed these tools in terms that would satisfy HIPAA's administrative safeguard requirements.
What the FTC Is Watching
The Federal Trade Commission has also entered this space, not through HIPAA but through Section 5 of the FTC Act and the Health Breach Notification Rule. The FTC's authority extends to personal health records and health apps that aren't covered by HIPAA. If a GLP-1 platform structures itself as a wellness service rather than a covered entity—and some have tried this—they move out of HIPAA's scope but directly into the FTC's.
In February 2023, the FTC extracted a settlement from GoodRx for sharing health data with advertising platforms. The case turned on precisely the kind of pixel-based tracking we're discussing here. The FTC has made it clear that health apps, regardless of HIPAA status, cannot use sensitive health information for ad targeting without explicit, informed consent. That consent has to be separate from a generic terms-of-service clickthrough.
GLP-1 platforms that think they're not covered entities are not safer. They're just exposed to a different regulator with a different enforcement appetite, and right now that appetite is strong.
Help Your Leadership Team Understand GLP-1 Privacy Exposure
Carl speaks to healthcare organizations, investors, and boards about the intersection of rapid growth and regulatory compliance. If your organization is navigating telehealth expansion, AI-driven prescribing, or privacy risk in digital health, let's talk.
Book Carl to Speak
The Business Associate Problem
A Business Associate Agreement is not a checkbox. It's a contractual commitment that a vendor will implement administrative, physical, and technical safeguards to protect PHI, report breaches, and allow audits. Most SaaS vendors that serve consumer-facing companies do not want to sign BAAs. Those safeguards cost money. Breach reporting creates liability. Audit rights create operational burden.
When you're a fast-growing telehealth platform, you run into this problem constantly. You want to use the best CRM, the best video platform, the best support ticketing system. Most of those vendors are built for general SaaS companies, not healthcare. They're not interested in becoming your business associate, and if they are, the BAA they offer is often boilerplate that doesn't reflect what the product actually does.
The pattern I see most often: the GLP-1 platform gets a BAA from the vendor, files it, and never audits whether the vendor's actual data practices comply with that BAA. The vendor says they won't use PHI for marketing. Meanwhile, their terms of service allow data use for "service improvement" and "analytics," and their subprocessors include data brokers and ad tech platforms. The BAA is functionally meaningless.
This is not hypothetical. I worked with a behavioral health telehealth company two years ago that discovered their CRM vendor—who had signed a BAA—was feeding patient interaction data into a machine learning pipeline that trained models sold to third parties. The vendor's position was that the data was "de-identified." The facts suggested otherwise. The telehealth company terminated the contract and filed a breach report. It cost them six figures to migrate and notify, and they were lucky the breach was discovered internally and not by OCR.
Compounding Pharmacies and Data Sharing
Many GLP-1 telehealth platforms work with compounding pharmacies to fulfill prescriptions when branded products are unavailable or unaffordable. The compounding pharmacy is also a covered entity. The data flow between the prescribing platform and the pharmacy needs to be governed by a BAA.
What often happens instead: the platform treats the pharmacy as a customer or vendor, not a business associate. Patient information flows via email, file upload, or API without encryption or audit logging. The pharmacy may use its own patient communication tools, its own support software, its own analytics. Those tools may not be covered by BAAs. The privacy risk compounds at every handoff.
The supply chain for GLP-1 prescriptions is more fragmented than traditional pharmacy fulfillment. That fragmentation creates data exposure at every seam. If you're a CISO or privacy officer at one of these platforms, your threat model needs to include every entity that touches patient data downstream of the initial consult. That's a longer list than most of these organizations have mapped.
Condition-Specific Platforms and Inference Risk
A hospital website serves patients with dozens of conditions. A GLP-1 telehealth platform serves patients with one condition, or one narrow set of conditions. That specificity changes the risk profile for any data disclosure.
If an IP address and timestamp leak from a general telemedicine platform, the inference is limited. If the same data leaks from a platform that exclusively prescribes weight-loss medications, the inference is precise. The patient's presence on that platform reveals health information, even if no form data is transmitted.
Courts and regulators understand this. The legal term is "contextual disclosure." If I can infer your health status from your interaction with a platform, that interaction is itself a disclosure of health information. GLP-1 platforms are, by design, contextual disclosure machines. Every page view, every click, every session is evidence of a specific health condition or treatment.
This is why ad tracker leakage is so damaging in this space. It's not just that Meta learns you visited a health website. It's that Meta learns you visited a website that only makes sense to visit if you're seeking treatment for obesity or diabetes. That's not marketing data. That's protected health information under HIPAA, and it's sensitive personal information under state privacy laws.
State Privacy Law Exposure
California's CPRA, Virginia's CDPA, Colorado's CPA, and the growing list of state privacy laws all include heightened protections for health data. Some of these laws define health data broadly enough to include inferences about health status. If your tracking tools are feeding data to ad platforms that infer health conditions, you're not just violating HIPAA—you're violating state privacy law.
The enforcement mechanisms are different. State attorneys general can bring actions. In some states, private rights of action exist. The penalties are per-violation, not per-incident, which means a single tracking pixel leaking data from thousands of patient sessions could generate millions of dollars in statutory damages.
Most GLP-1 platforms I've spoken with are focused on HIPAA compliance because that's the framework they know. They're underestimating the state-level privacy exposure, and they're especially underestimating the risk of class action litigation once plaintiffs' firms catch on to how widespread this problem is. The patchwork of state privacy laws creates compliance complexity that these fast-moving platforms are not equipped to handle.
AI-Assisted Prescribing and the Data Retention Problem
Several GLP-1 platforms are now using AI tools to triage patient questionnaires, flag contraindications, and assist with prescribing decisions. This is a rational use of automation when you're processing thousands of patient intake forms. It's also a new vector for GLP-1 privacy risks if the AI vendor is not a business associate and the training data is not properly scoped.
The problem is retention. AI vendors want data. The more data they have, the better their models perform, and the more valuable their product becomes. When you send patient questionnaires to an AI triage tool, you need to know: Is this data being retained? Is it being used for training? Is it being de-identified, and if so, does that de-identification meet the HIPAA standard or just the vendor's internal policy?
I've reviewed a handful of BAAs from AI vendors serving the telehealth space. Most of them include carve-outs for "model improvement" or "service enhancement" that allow the vendor to retain and use data in ways that would not survive scrutiny under HIPAA's minimum necessary standard. The telehealth platform signs the BAA because they need the tool, but they haven't negotiated the data retention terms, and they haven't audited what the vendor actually does with the data.
This is going to become a major enforcement focus. OCR has already published guidance on HIPAA and AI tools. The guidance is clear: if an AI vendor is creating, receiving, maintaining, or transmitting PHI on your behalf, they're a business associate. The BAA has to govern the full scope of data use, including training and model development. If your vendor is using patient data to improve a model they sell to other customers, that's a secondary use that requires either de-identification that meets the Safe Harbor or Expert Determination standard, or explicit patient authorization.
How many GLP-1 platforms have obtained that authorization? My guess is close to zero.
Looking for a Speaker on Healthcare Privacy and AI Risk?
Carl delivers keynotes on HIPAA compliance, AI governance, and privacy risk management for healthcare and life sciences organizations. See all keynote speaking topics or reach out about your event.
Book Carl for Your EventWhat Good Looks Like (and Why So Few Are Doing It)
A compliant GLP-1 telehealth platform is not exotic. It's a series of intentional choices that prioritize privacy and security over growth velocity. Here's what the architecture should include:
No Third-Party Trackers on Authenticated Pages
Ad pixels, analytics, and session replay tools have no place on any page where a patient is logged in or submitting health information. Marketing attribution ends at the account creation page. Everything downstream of that is PHI and needs to be treated as such.
You can still measure conversion. You can still optimize funnel performance. You just can't do it by sending identifiable patient data to Meta, Google, or any other ad platform. That means server-side analytics, privacy-preserving measurement tools, and internal attribution models. It's more work. It's the cost of doing business as a covered entity.
Comprehensive BAA Coverage
Every vendor that touches PHI needs a BAA that accurately reflects what the product does. That includes video platforms, CRMs, email providers, SMS gateways, support tools, and payment processors. The BAA needs to specify data retention limits, prohibit secondary use, require breach notification, and allow audit rights.
If a vendor won't sign a BAA with those terms, find a different vendor. This is not negotiable. The compliance risk of using a non-BAA vendor for PHI processing is not a risk-reward trade-off. It's just risk.
Audit Your Vendors' Subprocessors
Most SaaS vendors use subprocessors—hosting providers, CDN services, analytics tools. Your BAA should require the vendor to disclose all subprocessors and obtain your consent before adding new ones. You should audit that subprocessor list at least annually to ensure it hasn't expanded to include data brokers, ad tech platforms, or other entities that have no business touching patient data.
This is tedious work. It's also the only way to know where your data is actually going. The contract says one thing. The vendor's infrastructure does another. The gap between those two realities is where breaches happen.
Separate Marketing and Clinical Data Flows
Marketing needs to happen in a separate system from clinical operations. The CRM that tracks leads should not have access to the EHR that stores patient records. Consent for marketing communication should be managed separately from consent for treatment. Data should flow one direction—from marketing into clinical at the point of conversion—and never back.
Most GLP-1 platforms I've reviewed have blurred this line. The same system that manages the sales funnel also manages patient follow-up. The same database that stores lead source information also stores BMI and prescription history. This is not just a privacy problem. It's a security problem. If your marketing database is breached, you've just lost PHI because you didn't segment your data.
The Enforcement Wave Is Coming
OCR moves slowly, but it moves. The agency has limited resources and prioritizes cases with large patient populations, clear violations, and public interest. GLP-1 telehealth platforms check all three boxes. The patient populations are large and growing. The violations—tracking pixels on patient portals, missing BAAs, inadequate consent—are straightforward to prove. The public interest is high because these platforms are serving patients with conditions that carry stigma and discrimination risk.
I expect we'll see OCR investigations and settlements in this space within the next 12 to 18 months. The agency has already established the enforcement pattern with hospital systems and tracking pixels. Extending that pattern to telehealth is not a leap. It's the logical next step.
The FTC is also paying attention. The agency's recent focus on health apps and data brokers suggests that telehealth platforms—especially those that claim they're not covered entities—are on the radar. The FTC has broader authority than OCR in some ways, and it's been more aggressive in pursuing novel enforcement theories. If a GLP-1 platform is sharing data with ad networks or data brokers, the FTC doesn't need to prove a HIPAA violation. It just needs to prove deception or unfairness under Section 5.
State attorneys general are the wild card. California's AG has been active in health privacy enforcement. Other states are ramping up. If a platform suffers a breach or a whistleblower surfaces evidence of tracking pixel misuse, a state AG action is likely. Those cases generate headlines and political capital, which makes them attractive even when the financial recovery is small.
Strategic Implications for Leadership
If you're running a GLP-1 telehealth platform, or advising one, or investing in one, this is not a compliance checkbox. This is a business risk that will determine whether your organization survives its first major regulatory inquiry.
The temptation is to move fast and fix it later. That strategy works in consumer software where the regulatory exposure is limited. It does not work in healthcare. HIPAA violations are strict liability. The agency doesn't care that you were growing quickly or that your vendor misled you or that you planned to fix it next quarter. The violation happened, and the penalties follow.
The reputational risk is even worse than the financial risk. A data breach or OCR settlement will be covered in the healthcare trade press and picked up by general media because GLP-1 drugs are a hot topic. Patients who trusted you with sensitive health information will see headlines about tracking pixels and ad networks. Your churn rate will spike. Your acquisition cost will climb. Investors will ask hard questions.
The time to address GLP-1 privacy risks is before the investigation, before the breach, before the press coverage. That means slowing down enough to audit your vendors, review your data flows, and fix the gaps. It means bringing in a privacy officer who has authority, not just responsibility. It means recognizing that HIPAA compliance is not overhead—it's the foundation of a durable healthcare business.
The platforms that survive the next wave of enforcement will be the ones that treated privacy as a product requirement, not a legal afterthought. The rest will be case studies in what happens when growth outpaces governance.