*Benjamin Wachs

I. Introduction

About one in every eight adults in the United States are taking GLP-1 medications to help treat diabetes and facilitate weight loss.^[1] The immense success of these drugs on patients’ weight loss has earned them the nickname “miracle drugs.” ^[2] The industry is projected to boom into a 30-billion-dollar market by the end of 2025.^[3] As a result, several GLP-1 clinics and online telehealth ventures have emerged across the nation.^[4] The telehealth model has become increasingly popular for both GLP-1 providers and consumers, as it allows providers an opportunity to scale nationally, and offers discretion and secrecy to consumers.^[5] However, GLP-1’s quick ascension as a treatment for diabetes and weight loss, facilitated by the telehealth model, raises questions about consumers’ privacy rights.^[6]

II. A Brief Look into HIPAA Policies Regarding Telehealth Providers

The US Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 with the goal of protecting patient information and privacy.^[7] HIPAA established strict standards designed to safeguard patients’ protected health information.^[8] HIPAA applies only to covered entities and their business associates, meaning a healthcare provider must transmit electronic health information as part of a standard HIPAA transaction, such as an insurance claim, to be subject to HIPAA.^[9] However, a cash-only practice that avoids such transactions may not be covered under HIPAA and, as a result, may not have to comply with its strict standards for safeguarding patient medical information.^[10] This distinction has become particularly relevant in the GLP-1 telehealth industry, as many companies have moved to direct-to-consumer cash pay models that do not involve insurance.^[11]

III. Consumer Consequences of the Cash-Pay Telehealth Model

One of the foremost challenges consumers in the GLP-1 telehealth surge face is the failure to safeguard their privacy.^[12] Many healthcare provider webpages use tracking technologies, known as cookies or pixels, to create consumer profiles. These profiles are sold to large third-party advertising companies like Meta and Google, who subsequently use the information for targeted advertisements.^[13] Hims and Hers, a popular GLP-1 distributor’s website, had more than double the average number of third-party trackers, including Facebook.^[14] These invasive consumer profiles are built outside of HIPAA protections.^[15]

The Federal Trade Commission’s $1.5 million penalty against GoodRx, a prescription drug discount provider, in 2023 underscores the severity of privacy breaches emerging among telehealth providers nationwide.^[16] This penalty came three years after Consumer Reports determined GoodRx shared consumer data with over twenty companies, including Google and Meta.^[17] The potential consequences consumers face from privacy breaches are significant in the GLP-1 telehealth industry.^[18] After the information collected by the telehealth website’s tracking systems is sold to companies, consumers’ insecurities are leveraged to sell weight loss products.^[19] Additionally, privacy breaches lead companies to engage in surveillance pricing, charging consumers different prices for the same product based on data collected online.^[20] As a result of privacy breaches in the telehealth industry, consumers’ sensitive health data is being widely disseminated across the internet and exploited in ways they never anticipated, depriving them of consent.^[21]

IV. State Legislative Responses to Telehealth Privacy Gaps

In response to privacy concerns around sensitive health data generated by telehealth platforms, several states have enacted laws to protect consumer health data.^[22] The Washington “My Health My Data Act” (MHMDA) empowers individuals by giving them  greater control over their health data.^[23] Under the MHMDA, actors handling consumer health data must follow a detailed six-part framework governing privacy policies, consent, sale restrictions, advertising limits, consumer rights, and vendor agreements.^[24] These provisions are particularly relevant for telehealth providers who prescribe GLP-1 medications. Their digital platforms frequently collect, store, and share sensitive patient information outside the scope of HIPAA’s coverage, creating both compliance challenges and potential liability risks.^[25] Nevada and Connecticut have passed similar acts to the MHMDA, imposing new requirements that companies must follow regarding consumer health data in their respective states.^[26] These state level initiatives highlight a growing trend to fill federal privacy gaps, offering consumers stronger protections and signaling that telehealth providers must prioritize data security and compliance.^[27]

V. Conclusion

The rapid ascension of GLP-1 telehealth platforms has brought significant benefits to consumers seeking convenient and discreet care.^[28] Yet the collection, storage, and sharing of sensitive consumer health data outside the scope of HIPAA has created severe privacy risks.^[29] However, states like Washington, Nevada, and Connecticut have begun addressing these problems by protecting consumers’ privacy rights and imposing stricter obligations on telehealth providers.^[30] These states have provided a roadmap for other states to follow, which will strengthen privacy protections, reduce consumer harm, and hold telehealth providers accountable for safeguarding sensitive health information.^[31]

*Benjamin Wachs is a second-year day student at the University of Baltimore School of Law where he is a Staff Editor for Law Review and a Scholar of the Royal Graham Shannonhouse III Honor Society. He received a Bachelor of Arts in Government and Politics from the University of Maryland, College Park and spent this past summer as a Judicial Intern for the Honorable Jennifer B. Schiffer in Baltimore County Circuit Court. Ben is interested in corporate law and plans on specializing in Mergers and Acquistions.

---

[1] Poll: 1 in 8 Adults Say They’ve Taken a GLP-1 Drug, Including 4 in 10 of Those with Diabetes and 1 in 4 of Those with Heart Disease, Kff (May 10, 2024), https://www.kff.org/health-costs/poll-1-in-8-adults-say-theyve-taken-a-glp-1-drug-including-4-in-10-of-those-with-diabetes-and-1-in-4-of-those-with-heart-disease.

[2] Mark Conley, Five Things to Know About GLP-1s and Addiction, Stan. Med.: News Ctr. (Apr. 1, 2025), https://med.stanford.edu/news/insights/2025/04/ozempic-addiction-glp-1s-mounjaro-lembke.html.

[3] Sara Jodka, Telehealth’s GLP-1 Boom: Balancing Obesity Care with HIPAA and State Consumer Privacy Laws, Reuters (Aug. 22, 2025), https://www.reuters.com/legal/legalindustry/telehealths-glp-1-boom-balancing-obesity-care-with-hipaa-state-consumer-privacy-2025-08-20/.

[4] Id.

[5] Id.

[6] See id.

[7] Peter F. Edemekong et al., Health Insurance Portability and Accountability Act (HIPAA) Compliance, Nat’l Libr. of Med. (Nov. 24, 2024), https://www.ncbi.nlm.nih.gov/books/NBK500019/.

[8] Id.

[9] Andrew Stein, Is a Cash-Only Medical Practice Subject to HIPAA?, Stevens & Lee: Health Law Observer (July 15, 2021), https://www.stevenslee.com/health-law-observer-blog/is-a-cash-only-medical-practice-subject-to-hipaa/.

[10] Id.

[11] Gabriela Barkho, Weight Loss Drugs Like Ozempic Are Giving DTC Telemedicine Platforms a Boost, Mod. Retail (Mar. 25, 2024), https://www.modernretail.co/operations/weight-loss-drugs-like-ozempic-are-giving-dtc-telemedicine-platforms-a-boost/.

[12] See Deesha D. Desai et al., Navigating the Landscape of Direct-to-Consumer Telehealth Services, Nat’l Libr. of Med. (Feb. 17, 2025), https://pmc.ncbi.nlm.nih.gov/articles/PMC11922300/ (“[P]rivacy concerns, particularly the absence of Health Insurance Portability and Accountability Act (HIPAA) coverage, expose patients to the risk of unauthorized disclosure of their private health information.”).

[13]  Sara Geoghegan, A Health Privacy ‘Check-Up’: How Unfair Modern Business Practices Can Leave you Under–Informed and Your Most Sensitive Data Ripe for Collection and Sale, Elec. Priv. Info. Ctr. (June 5, 2025), https://epic.org/a-health-privacy-check-up-how-unfair-modern-business-practices-can-leave-you-under-informed-and-your-most-sensitive-data-ripe-for-collection-and-sale/.

[14] Id.

[15] Id.

[16] Frank Bajak, FTC Fines GoodRx for Unauthorized Sharing of Health Data, AP News (Feb. 1, 2023, at 19:09 ET),https://apnews.com/article/technology-politics-california-health-prescription-drugs-5934cea79a747ae869c63267a4acb561.

[17] Id.

[18] Geoghegan, supra note 13.

[19] Id.

[20] Id.

[21] Id.

[22] Paul Schmeltzer, Telehealth Providers at a Crossroads: Navigating Insurance, Compliance and Cash-Only Models Amid State Regulations, Healthcare Dive (Sep. 20, 2024), https://www.healthcaredive.com/news/telehealth-providers-crossroads-regulations-paul-schmeltzer-clark-hill/727296/.

[23] See Jacqueline Klosek et al., Washington’s My Health My Data Act Comes into Force – What You Need to Know, and Do, Goodwin  (Mar. 28, 2024), https://www.goodwinlaw.com/en/insights/publications/2024/03/alerts-technology-hltc-my-health-my-data-act-mhmda (explaining that the law “imposes stringent notice and consent requirements as well as restrictions on certain forms of advertising that exceed the requirements of other state privacy laws.”).

[24] Id.

[25] Geoghegan, supra note 13.

[26] Kirk J. Nahra, Ali A. Jessani & Samuel Kane, Nevada Legislature Passes Consumer Health Data Privacy Bill, WilmerHale: WilmerHale Privacy and Cybersecurity Law (June 14, 2023), https://www.wilmerhale.com/en/insights/blogs/wilmerhale-privacy-and-cybersecurity-law/20230614-nevada-legislature-passes-consumer-health-data-privacy-bill.

[27] Wendell J. Bartnick et al., 2024 Brings Novel Compliance Challenges from State Health Data Privacy Laws, Reed Smith (Mar. 21, 2024), https://www.reedsmith.com/en/perspectives/2024/03/2024-brings-novel-compliance-challenges-from-state-health-data-privacy-laws.

[28] Jodka, supra note 3.

[29] See Geoghegan, supra note 13; supra Part III.

[30] Nahra, et al., supra note 26.

[31] See supra Part IV.