*Benjamin Wachs
I. Introduction
About one in every eight adults in the United States are taking GLP-1 medications to help treat diabetes and facilitate weight loss.[1] The immense success of these drugs on patients’ weight loss has earned them the nickname “miracle drugs.” [2] The industry is projected to boom into a 30-billion-dollar market by the end of 2025.[3] As a result, several GLP-1 clinics and online telehealth ventures have emerged across the nation.[4] The telehealth model has become increasingly popular for both GLP-1 providers and consumers, as it allows providers an opportunity to scale nationally, and offers discretion and secrecy to consumers.[5] However, GLP-1’s quick ascension as a treatment for diabetes and weight loss, facilitated by the telehealth model, raises questions about consumers’ privacy rights.[6]
II. A Brief Look into HIPAA Policies Regarding Telehealth Providers
The US Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 with the goal of protecting patient information and privacy.[7] HIPAA established strict standards designed to safeguard patients’ protected health information.[8] HIPAA applies only to covered entities and their business associates, meaning a healthcare provider must transmit electronic health information as part of a standard HIPAA transaction, such as an insurance claim, to be subject to HIPAA.[9] However, a cash-only practice that avoids such transactions may not be covered under HIPAA and, as a result, may not have to comply with its strict standards for safeguarding patient medical information.[10] This distinction has become particularly relevant in the GLP-1 telehealth industry, as many companies have moved to direct-to-consumer cash pay models that do not involve insurance.[11]
III. Consumer Consequences of the Cash-Pay Telehealth Model
One of the foremost challenges consumers in the GLP-1 telehealth surge face is the failure to safeguard their privacy.[12] Many healthcare provider webpages use tracking technologies, known as cookies or pixels, to create consumer profiles. These profiles are sold to large third-party advertising companies like Meta and Google, who subsequently use the information for targeted advertisements.[13] Hims and Hers, a popular GLP-1 distributor’s website, had more than double the average number of third-party trackers, including Facebook.[14] These invasive consumer profiles are built outside of HIPAA protections.[15]
The Federal Trade Commission’s $1.5 million penalty against GoodRx, a prescription drug discount provider, in 2023 underscores the severity of privacy breaches emerging among telehealth providers nationwide.[16] This penalty came three years after Consumer Reports determined GoodRx shared consumer data with over twenty companies, including Google and Meta.[17] The potential consequences consumers face from privacy breaches are significant in the GLP-1 telehealth industry.[18] After the information collected by the telehealth website’s tracking systems is sold to companies, consumers’ insecurities are leveraged to sell weight loss products.[19] Additionally, privacy breaches lead companies to engage in surveillance pricing, charging consumers different prices for the same product based on data collected online.[20] As a result of privacy breaches in the telehealth industry, consumers’ sensitive health data is being widely disseminated across the internet and exploited in ways they never anticipated, depriving them of consent.[21]
IV. State Legislative Responses to Telehealth Privacy Gaps
In response to privacy concerns around sensitive health data generated by telehealth platforms, several states have enacted laws to protect consumer health data.[22] The Washington “My Health My Data Act” (MHMDA) empowers individuals by giving them greater control over their health data.[23] Under the MHMDA, actors handling consumer health data must follow a detailed six-part framework governing privacy policies, consent, sale restrictions, advertising limits, consumer rights, and vendor agreements.[24] These provisions are particularly relevant for telehealth providers who prescribe GLP-1 medications. Their digital platforms frequently collect, store, and share sensitive patient information outside the scope of HIPAA’s coverage, creating both compliance challenges and potential liability risks.[25] Nevada and Connecticut have passed similar acts to the MHMDA, imposing new requirements that companies must follow regarding consumer health data in their respective states.[26] These state level initiatives highlight a growing trend to fill federal privacy gaps, offering consumers stronger protections and signaling that telehealth providers must prioritize data security and compliance.[27]
V. Conclusion
The rapid ascension of GLP-1 telehealth platforms has brought significant benefits to consumers seeking convenient and discreet care.[28] Yet the collection, storage, and sharing of sensitive consumer health data outside the scope of HIPAA has created severe privacy risks.[29] However, states like Washington, Nevada, and Connecticut have begun addressing these problems by protecting consumers’ privacy rights and imposing stricter obligations on telehealth providers.[30] These states have provided a roadmap for other states to follow, which will strengthen privacy protections, reduce consumer harm, and hold telehealth providers accountable for safeguarding sensitive health information.[31]
*Benjamin Wachs is a second-year day student at the University of Baltimore School of Law where he is a Staff Editor for Law Review and a Scholar of the Royal Graham Shannonhouse III Honor Society. He received a Bachelor of Arts in Government and Politics from the University of Maryland, College Park and spent this past summer as a Judicial Intern for the Honorable Jennifer B. Schiffer in Baltimore County Circuit Court. Ben is interested in corporate law and plans on specializing in Mergers and Acquistions.
[1] Poll: 1 in 8 Adults Say They’ve Taken a GLP-1 Drug, Including 4 in 10 of Those with Diabetes and 1 in 4 of Those with Heart Disease, Kff (May 10, 2024), https://www.kff.org/health-costs/poll-1-in-8-adults-say-theyve-taken-a-glp-1-drug-including-4-in-10-of-those-with-diabetes-and-1-in-4-of-those-with-heart-disease.
[2] Mark Conley, Five Things to Know About GLP-1s and Addiction, Stan. Med.: News Ctr. (Apr. 1, 2025), https://med.stanford.edu/news/insights/2025/04/ozempic-addiction-glp-1s-mounjaro-lembke.html.
[3] Sara Jodka, Telehealth’s GLP-1 Boom: Balancing Obesity Care with HIPAA and State Consumer Privacy Laws, Reuters (Aug. 22, 2025), https://www.reuters.com/legal/legalindustry/telehealths-glp-1-boom-balancing-obesity-care-with-hipaa-state-consumer-privacy-2025-08-20/.
[4] Id.
[5] Id.
[6] See id.
[7] Peter F. Edemekong et al., Health Insurance Portability and Accountability Act (HIPAA) Compliance, Nat’l Libr. of Med. (Nov. 24, 2024), https://www.ncbi.nlm.nih.gov/books/NBK500019/.
[8] Id.
[9] Andrew Stein, Is a Cash-Only Medical Practice Subject to HIPAA?, Stevens & Lee: Health Law Observer (July 15, 2021), https://www.stevenslee.com/health-law-observer-blog/is-a-cash-only-medical-practice-subject-to-hipaa/.
[10] Id.
[11] Gabriela Barkho, Weight Loss Drugs Like Ozempic Are Giving DTC Telemedicine Platforms a Boost, Mod. Retail (Mar. 25, 2024), https://www.modernretail.co/operations/weight-loss-drugs-like-ozempic-are-giving-dtc-telemedicine-platforms-a-boost/.
[12] See Deesha D. Desai et al., Navigating the Landscape of Direct-to-Consumer Telehealth Services, Nat’l Libr. of Med. (Feb. 17, 2025), https://pmc.ncbi.nlm.nih.gov/articles/PMC11922300/ (“[P]rivacy concerns, particularly the absence of Health Insurance Portability and Accountability Act (HIPAA) coverage, expose patients to the risk of unauthorized disclosure of their private health information.”).
[13] Sara Geoghegan, A Health Privacy ‘Check-Up’: How Unfair Modern Business Practices Can Leave you Under–Informed and Your Most Sensitive Data Ripe for Collection and Sale, Elec. Priv. Info. Ctr. (June 5, 2025), https://epic.org/a-health-privacy-check-up-how-unfair-modern-business-practices-can-leave-you-under-informed-and-your-most-sensitive-data-ripe-for-collection-and-sale/.
[14] Id.
[15] Id.
[16] Frank Bajak, FTC Fines GoodRx for Unauthorized Sharing of Health Data, AP News (Feb. 1, 2023, at 19:09 ET),https://apnews.com/article/technology-politics-california-health-prescription-drugs-5934cea79a747ae869c63267a4acb561.
[17] Id.
[18] Geoghegan, supra note 13.
[19] Id.
[20] Id.
[21] Id.
[22] Paul Schmeltzer, Telehealth Providers at a Crossroads: Navigating Insurance, Compliance and Cash-Only Models Amid State Regulations, Healthcare Dive (Sep. 20, 2024), https://www.healthcaredive.com/news/telehealth-providers-crossroads-regulations-paul-schmeltzer-clark-hill/727296/.
[23] See Jacqueline Klosek et al., Washington’s My Health My Data Act Comes into Force – What You Need to Know, and Do, Goodwin (Mar. 28, 2024), https://www.goodwinlaw.com/en/insights/publications/2024/03/alerts-technology-hltc-my-health-my-data-act-mhmda (explaining that the law “imposes stringent notice and consent requirements as well as restrictions on certain forms of advertising that exceed the requirements of other state privacy laws.”).
[24] Id.
[25] Geoghegan, supra note 13.
[26] Kirk J. Nahra, Ali A. Jessani & Samuel Kane, Nevada Legislature Passes Consumer Health Data Privacy Bill, WilmerHale: WilmerHale Privacy and Cybersecurity Law (June 14, 2023), https://www.wilmerhale.com/en/insights/blogs/wilmerhale-privacy-and-cybersecurity-law/20230614-nevada-legislature-passes-consumer-health-data-privacy-bill.
[27] Wendell J. Bartnick et al., 2024 Brings Novel Compliance Challenges from State Health Data Privacy Laws, Reed Smith (Mar. 21, 2024), https://www.reedsmith.com/en/perspectives/2024/03/2024-brings-novel-compliance-challenges-from-state-health-data-privacy-laws.
[28] Jodka, supra note 3.
[29] See Geoghegan, supra note 13; supra Part III.
[30] Nahra, et al., supra note 26.
[31] See supra Part IV.
University of Baltimore Law Review 