Who Sees Your Telehealth Data? The Shocking Truth
You’ve likely seen the enticing ads on your social media feed. A sleek and user-friendly telehealth service promises a swift consultation and a prescription for a popular weight loss medication like Wegovy or Zepbound, all conveniently delivered to your phone.
The process is remarkably straightforward. You’ll be prompted to answer a few dozen highly personal questions about your weight, health history, lifestyle, and goals. You might even be asked to upload a photo. Finally, you’ll reach the final screen, where you can scroll past a wall of text and simply tap ‘I Agree.’
But what exactly did you agree to? In our rush for convenience, we often overlook where our telehealth data and sensitive information are being sent. The truth is, the privacy regulations governing this new digital health landscape are far more ambiguous than most of us realize, but that’s gradually changing.
TL;DR: Here’s What’s Happening
- Many popular telehealth weight loss platforms and health apps are not covered by the traditional health privacy law, HIPAA, creating a significant privacy loophole.
- This gap has allowed some companies to share or sell sensitive user data—like your health conditions and prescriptions—to third parties like data brokers and ad platforms.
- Regulators, led by the Federal Trade Commission (FTC), are now using other laws to crack down on this practice, demanding clear user consent before health data is shared.
- This shift means you should start seeing more transparent privacy policies, but you still need to be vigilant about protecting your personal health information online.
The Telehealth Boom and Its Data Shadow
The rise of direct-to-consumer telemedicine for weight management has revolutionized the industry, providing millions with unprecedented access, discretion, and convenience. However, this convenience comes at a significant cost: the creation of a massive, centralized collection of personal health data that holds immense value.
We’re not just talking about your name and email. These platforms collect what is legally referred to as Personal Health Information (PHI). This includes your weight, BMI, pre-existing conditions, mental health notes, and a log of the medications you take.
This is the same information you’d share with your family doctor, but the protections offered may not always be the same.
The HIPAA Loophole You Didn’t Know Existed
Most of us have heard of HIPAA (the Health Insurance Portability and Accountability Act). We think of it as the shield that protects our medical records. And it is but only for “covered entities.” In simple terms, HIPAA applies to your doctor’s office, hospitals, and health insurance companies.
Here’s the loophole: Many tech companies, app developers, and direct-to-consumer telehealth platforms aren’t considered “covered entities.” They operate in a gray area, meaning they haven’t always been bound by the same stringent privacy and security regulations.
This has enabled some of them to monetize user data by sharing it with third parties like Facebook, Google, and other data brokers for advertising purposes, often without obtaining clear and direct consent from the users.
The Crackdown: How Regulators Are Closing the Gap
The positive aspect is that regulators are becoming more aware of the issue. The U.S. Federal Trade Commission (FTC) has initiated a more stringent enforcement of other consumer protection laws to hold digital health companies accountable.
A significant turning point occurred with the Federal Trade Commission’s recent enforcement actions against companies such as the prescription drug discounter GoodRx and the counseling service BetterHelp.
The FTC accused these companies of sharing user health data with advertisers despite their assurances to users that their information would remain confidential. As a result of these allegations, the companies were fined substantial amounts and, more importantly, were prohibited from sharing user health data for advertising purposes.
The Federal Trade Commission (FTC) is enforcing this policy using its Health Breach Notification Rule. According to the commission’s guidelines, this rule goes beyond significant cyberattacks. It requires companies not covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify their customers if their health information is accessed or shared without their explicit consent. The FTC’s stance is clear: sharing data without obtaining explicit permission constitutes a breach.
States are also taking action. For instance, Washington enacted the “My Health My Data Act,” a significant consumer privacy law that establishes stringent regulations for entities handling health data. This legislation effectively closes the HIPAA loophole within the state.
What This Means For Your Telehealth Experience
Companies will be compelled to adopt more transparent language in their privacy policies, as they will be forced to disclose who they share your data with and the reasons behind such sharing. The vague language that was prevalent in the past will likely be replaced with more direct requests for consent.
Second, you should have more control over your data. These new rules empower you to refuse the use of your data for marketing purposes. However, this doesn’t mean you can completely ignore the matter. You still need to be your own best advocate. Before signing up for a new service, take a few minutes to review its privacy policy.
The future of telehealth weight loss is undoubtedly digital, but it must be built on a foundation of trust. These new legal pressures are a positive step in the right direction, as they encourage the industry to prioritize user privacy over profits.
Frequently Asked Questions (FAQ)
1. Is my telehealth information protected by HIPAA?
Not always. While some telehealth platforms that connect you directly with a doctor’s practice are covered by HIPAA, many direct-to-consumer health apps and websites are not. This is why new rules from the FTC and states are so important.
2. Can telehealth companies sell my data?
Legally, selling your identifiable health data without your explicit consent is a major violation. However, some companies have shared “de-identified” or aggregated data with third parties or used personal data for targeted advertising, which is the practice regulators are now cracking down on.
3. What is the FTC’s Health Breach Notification Rule?
It’s a rule that requires vendors of personal health records and related entities not covered by HIPAA to notify consumers and the FTC following any breach of unsecured identifiable health information. The FTC has recently interpreted “breach” to include unauthorized sharing of data.
4. How can I protect my health data when using an app?
Read the privacy policy before agreeing, especially looking for terms like “third parties,” “advertising,” or “partners.” Use strong, unique passwords. Limit the permissions you grant the app on your phone. If you’re no longer using a service, request that your data be deleted.
Conclusion
Telehealth offers undeniable convenience, but it should never compromise our privacy. As laws gradually catch up with technological advancements, it’s our collective responsibility to stay informed and demand better from the companies we entrust with our most personal data.
Sources:
- Federal Trade Commission (FTC). “FTC Enforcement Action to Bar GoodRx from Sharing Consumers’ Sensitive Health Info for Advertising.” https://www.ftc.gov/news-events/news/press-releases/2023/02/ftc-enforcement-action-bar-goodrx-sharing-consumers-sensitive-health-info-advertising
- The Seattle Times. “What to know about Washington’s My Health My Data Act.” https://www.seattletimes.com/seattle-news/health/what-to-know-about-washingtons-my-health-my-data-act/
Check out the healthlynic ✔️approved range of products for Weight Loss, Improve metabolism and much more!
