GLP-1 Provider Privacy and Data Questions to Ask Before You Enroll
Last verified: · By the WPG Editorial Team · ~25-min read · Published
The bottom line
Use this guide if: you're comparing online GLP-1 providers, you're about to start an intake quiz, you just saw a Wegovy or Zepbound ad and feel uneasy, or you already signed up and want to know who has your data.
Before you share GLP-1 data, ask these 7 questions
| Ask this | A good answer sounds like | A red flag sounds like |
|---|---|---|
| Do you have a current HIPAA Notice of Privacy Practices? | They link it, date it, and name the medical group. | Only a generic "privacy policy" — no separate medical notice. |
| Which data is PHI and which is not? | They explain account, marketing, payment, and clinical data as separate buckets. | "Everything is HIPAA-compliant" with no specifics. |
| Do you use Meta, Google, or TikTok pixels on intake or login pages? | They name vendors, say where tracking is disabled, and explain consent. | They just point to a cookie banner. |
| Who actually receives my information? | They name the prescribing medical group, pharmacy, lab, payment processor, insurer, and main vendor categories. | Vague phrases like "trusted partners" or "service providers." |
| Can I access, correct, delete, or opt out? | They give you a specific request URL and a timeline. | No clear path, or only a support-chat reply. |
| Are texts and emails secure — and optional? | They explain what goes through the secure portal versus SMS/email and let you opt for portal-only. | Medication names, diagnoses, or payment details land in regular texts by default. |
| What happens if there's a breach? | They name a privacy contact and explain notification obligations. | No breach process. No privacy email. |
Send these in writing — through the provider's support form or a help email. Save the reply. If a provider can't answer in a few business days, that's part of your answer. The full 17-question worksheet is below.
Why we built this page
Most "how to pick a GLP-1 provider" guides treat privacy as bullet #9 of 10 — one sentence about HIPAA, and you're back to comparing prices. That's not enough. The real privacy risk in GLP-1 telehealth isn't usually the doctor visit. It's the parts around the doctor visit: the intake quiz, the marketing site, the cookie tracker, the payment processor, the wellness app, the affiliated medical group, the pharmacy, the customer-support chat tool.
We built this page because the five FTC health-data cases this guide relies on — GoodRx, BetterHelp, Premom, Cerebral, and Monument — happened in exactly that gap. The FTC's first GLP-1-specific telehealth action (NextMed, December 2025) and the FDA's 30 telehealth warning letters (March 3, 2026) tell us regulators are now looking directly at this industry.
The 17 GLP-1 provider privacy and data questions to ask before you enroll
HIPAA and medical record questions (the foundation)
What is the legal name of the medical group that will actually treat me?
Most large GLP-1 telehealth brands are not the entity that holds your medical record. The website is owned by a Management Services Organization (MSO) — a marketing and tech company. The clinical care is delivered by a separate Professional Corporation (PC) or affiliated medical group. This split is normal and legal. But it matters for privacy because the medical group is the HIPAA-covered entity; the platform company may be outside HIPAA for non-clinical data.
Can you send me your current HIPAA Notice of Privacy Practices (NPP) before I complete intake?
The NPP is a federal requirement for any HIPAA-covered healthcare provider. The U.S. Department of Health and Human Services says covered providers with a website must "prominently post" the notice online. If a GLP-1 provider can't show you the NPP before you submit medical data, that's a problem.
Which parts of my intake become Protected Health Information (PHI)?
PHI is health information that is individually identifiable and held or transmitted by a HIPAA-covered entity or business associate — and PHI gets stronger legal protection than ordinary "personal data." The intake quiz answers, weight, BMI, medical history, photos, lab results, prescriber messages, and prescription records typically become PHI once routed to the covered medical group. Marketing-site behavior, the cookie that fired before you signed up, and the email you entered on the landing page may not be PHI.
Which parts of my account, marketing, shipping, or payment data are not PHI?
This is the question almost no shopper asks, and it's the question every FTC enforcement action in this space has turned on. Marketing data — including the simple fact that you visited the intake page — often flows through ad pixels, analytics tools, and customer-support platforms before you ever become a patient. That data may or may not be protected.
Tracking, pixel, and advertising questions
Do you use Meta Pixel, Google Analytics, TikTok pixel, or any third-party advertising tracker on pages that collect health information?
A joint Markup / STAT investigation evaluated 50 direct-to-consumer telehealth firms. Thirteen had at least one tracker collecting answers to medical intake questions. Twenty-five sent at least one Big Tech platform a notification that the user had added a treatment plan or prescription to their cart. Forty-nine of the 50 sent the URLs users were viewing to at least one third-party tech company. The HHS Office for Civil Rights has said that simply mentioning tracking in a privacy policy or cookie banner does not, by itself, give a HIPAA-covered entity permission to disclose PHI to a tracking vendor.
Do any ad platforms receive my email, phone number, browsing behavior, or health-interest data — even in hashed form?
"Hashing" means scrambling a piece of data so it can't be read directly. Ad platforms still use hashed emails and phone numbers to match you to a profile. The fact that data is hashed doesn't mean it's anonymous.
Do you use my information for retargeting, lookalike audiences, or marketing lists?
This is the bridge between "your data" and "ads that follow you around the internet."
Third-party sharing questions
Which pharmacies, labs, payment processors, support tools, cloud vendors, and affiliates receive my data?
A real GLP-1 program touches at least six external companies: pharmacy, lab, payment processor, cloud hosting, customer-support platform, and shipping. The provider should be able to give you the categories at minimum, and the specific pharmacy and lab names ideally.
Do you have Business Associate Agreements (BAAs) with every vendor that handles PHI?
A BAA is a written contract required under HIPAA between a covered healthcare entity and any outside service provider that creates, receives, maintains, or transmits PHI on its behalf. Without one, that vendor isn't permitted to handle PHI legally. Every legitimate GLP-1 telehealth operation should have BAAs with hosting, EHR, e-prescribing, and clinical-messaging vendors that touch PHI.
Will my insurer, employer, benefits administrator, or plan sponsor receive any individual-level data?
Employer-connected GLP-1 programs are growing fast, and they create extra privacy questions because data can move between the program, the employer, and the health plan. Aggregate reporting (e.g., "12% of enrolled employees lost more than 5% body weight") is usually fine; individual-level reporting is a different question.
Communication questions
What information is sent by text, email, app notification, or portal?
Convenience and privacy fight each other in messaging. Reminder texts are great. Reminder texts that say "Time for your tirzepatide injection!" are not great.
Can I choose secure portal-only communication?
A trustworthy provider lets you turn off SMS, email marketing, and even appointment reminders if you want everything to stay inside the portal.
Will the packaging, shipping label, or billing descriptor reveal my treatment?
This is the question for anyone who lives with roommates, family, or a curious neighbor. Discreet packaging matters. Billing descriptors that say "Wegovy Telehealth LLC" on your credit card statement also matter.
Rights, deletion, and opt-out questions
How do I access or correct my medical record?
Under HIPAA, covered entities must act on a record-access request no later than 30 calendar days after receiving it, with one allowed 30-day extension if they give you a written reason. State laws can extend or add to this. You also have the right to request corrections.
Can I delete non-medical account data, opt out of marketing, or opt out of targeted advertising?
Every GLP-1 provider that operates in the U.S. should give you at least a marketing opt-out and, in most states, a general data-rights request channel.
What information must you retain even after I cancel my account?
Clinical records have legal retention periods set by state law, provider type, and record type. The provider generally cannot delete your clinical record the moment you cancel — and shouldn't try. But marketing data, account preferences, and non-medical history should be deletable.
Security and breach questions
Who is the privacy contact, and how will I be notified if my information is breached?
Both HIPAA and the FTC's updated Health Breach Notification Rule require notification when unsecured health information is exposed. The provider should be able to give you a specific privacy officer's email or a clear breach-notification commitment.
Copy-paste message — send to any GLP-1 provider before intake
Hello — before I complete intake, please confirm: (1) the legal name of the medical group that will treat me, (2) a link to your current HIPAA Notice of Privacy Practices, (3) which intake fields are PHI versus general account or marketing data, (4) whether you run Meta, Google, or TikTok pixels on intake, portal, or login pages, (5) the categories of third parties (pharmacy, lab, payment processor, vendor) that will receive my information, (6) my options for portal-only communication, and (7) the contact for privacy rights requests and breach notifications. Please reply in writing. Thank you.
If they answer most of those clearly, you've found a real one. If they dodge or push you to "just start your free consultation," that's the answer.
What data do online GLP-1 providers collect?
| Data type | Why providers ask for it | Where the risk lives |
|---|---|---|
| Weight, BMI, body photos | Eligibility and dose monitoring | Platform storage; ad inference risk if shared with analytics |
| Medical history, diagnoses | Safety screening | Should be PHI once routed to the medical group |
| Medication list | Drug-interaction checks | Same as medical history |
| Lab results | Eligibility and monitoring | Third-party lab and the reporting chain |
| ID documents | Identity verification | Document processor or verification vendor |
| Insurance information | Coverage and prior authorization | Insurer and pharmacy benefit manager see claims |
| Payment data | Billing | Payment processor sees descriptors and amounts |
| Shipping address | Medication delivery | Carrier and packaging vendor |
| Browsing and cookie data | Site optimization and marketing | Ad networks, if pixels fire on health pages |
| Support messages | Customer care | Support platform vendor; treatment depends on whether they have a BAA |
Is GLP-1 telehealth covered by HIPAA?
The MSO–PC split that almost nobody explains
Most large online GLP-1 brands use a structure called the MSO–PC model (also called the "Friendly PC" model):
- •The Management Services Organization (MSO) owns the brand, the website, the app, the marketing, the customer support, and the technology platform. The MSO is typically not a HIPAA-covered entity — but it can act as a HIPAA business associate when it handles PHI on behalf of the medical group.
- •The Professional Corporation (PC) is a separate, physician-owned legal entity that actually employs the prescribing clinicians and holds the medical record. The PC is a HIPAA covered entity.
This structure exists because most states have "Corporate Practice of Medicine" laws that bar non-physicians from owning a medical practice. The MSO–PC split is the legal workaround. For your privacy, the practical consequence is that when you fill out an intake quiz, whether that data is PHI depends on who is collecting it and how it gets routed to the medical group. When you have your video visit, get prescribed, and receive a refill, that data is in the PC's medical record — HIPAA-protected.
The HHS Office for Civil Rights has clarified that HIPAA can apply to tracking technologies on a covered entity's authenticated patient portal pages. But on the marketing site — the front door of most GLP-1 telehealth brands — HIPAA's reach is far weaker.
Why "HIPAA compliant" is a marketing phrase, not a legal status
"HIPAA compliant" is not a government certification. There is no agency that audits and stamps a company "HIPAA compliant." Companies say it because it sounds good and because their lawyers have signed off that they meet some HIPAA requirements somewhere in the operation. The FTC has specifically called out telehealth companies for displaying "HIPAA-compliant" seals and badges that implied more than what was true.
Do GLP-1 telehealth companies share data with Meta, Google, and TikTok?
FTC enforcement record in telehealth (2023–2025)
The first five rows are health-data privacy cases. The last (NextMed) is the first FTC action targeting a GLP-1 telehealth company specifically — but for deceptive pricing, not data-sharing pixels.
| Company | Date | What FTC alleged | Penalty | Named ad/analytics platforms |
|---|---|---|---|---|
| GoodRx | Feb 2023 | Shared user health data with third parties via tracking pixels; misrepresented HIPAA compliance | $1.5M civil penalty + permanent ad-data ban | Facebook, Google, Criteo |
| BetterHelp | March 2023 | Shared mental-health intake answers with advertising and analytics platforms despite "we won't share" promises | $7.8M (consumer payments) | Facebook, Snapchat, Pinterest, Criteo |
| Premom | May 2023 | FTC alleged Premom disclosed sensitive and identifiable health information via SDK integrations | HBNR/FTC settlement | AppsFlyer, Google |
| Cerebral | April 2024 | Disclosed roughly 3.2M users' info to advertising and analytics platforms; deceptive cancellation | Nearly $5.1M consumer refunds + $10M civil penalty (suspended after $2M payment) | Google, Meta, TikTok |
| Monument | April 2024 | Disclosed alcohol-treatment users' info to ad platforms (2020–2022); falsely claimed "100% confidential" | $2.5M civil penalty (suspended for inability to pay) + permanent ad-data ban | Meta, Google |
| NextMed / Southern Health Solutions (GLP-1 telehealth) | Final order Dec 2025 | Deceptive pricing, fake reviews, hidden fees on GLP-1 weight-loss memberships — NOT a data-sharing case | $150,000 expected for consumer refunds | N/A |
Sources: FTC press releases at ftc.gov/news-events/news/press-releases. The 50-firm tracker findings come from joint investigations by The Markup and STAT (2022–2024). A University of Baltimore Law Review article (October 20, 2025) noted that Hims & Hers had more than double the average number of third-party trackers among the telehealth companies evaluated.
What this means for you
- 1Don't trust a privacy policy that says "we never share PHI" without checking what they do with non-PHI data. GoodRx told users it would protect their health information; the FTC then alleged GoodRx had been sharing sensitive health data with advertising platforms including Facebook, Google, and Criteo for years.
- 2A generic cookie banner is not HIPAA authorization for PHI sharing. HHS Office for Civil Rights has stated this directly. If a HIPAA-covered entity uses tracking on pages handling PHI without proper authorization or a BAA, that's a HIPAA problem.
- 3You can check for trackers yourself before you sign up. We'll show you how in the Pixel Self-Check section below.
2026 GLP-1 provider privacy disclosure audit (12 providers)
What we reviewed
For each provider: their main Privacy Policy, their HIPAA Notice of Privacy Practices where visible, and any separate Consumer Health Data Privacy Policy. We recorded the most recent date visible on each policy at the time of our May 2026 review. Provider policies update without notice — verify the current date when you open each page yourself.
| Provider | Public documents reviewed (policy date seen) | Disclosure pattern observed | Question to ask before enrolling |
|---|---|---|---|
| Ro | Privacy Policy (effective April 2026); Consumer Health Data Privacy Policy (updated September 2025) | Discloses analytics and advertising tools including Google Analytics, Facebook, Google Ads, TikTok, and Criteo. | Which intake, portal, and marketing data is excluded from ad networks? Do you fire pixels on any intake, portal, or login pages? |
| Hims & Hers | Privacy Policy; Medical Groups Notice of Privacy Practices; Consumer Health Data Privacy Policy | States that HIPAA does not necessarily apply just because health information is involved, and that some non-protected information is governed by the general Privacy Policy. | At what point does my GLP-1 intake become PHI, and which account, marketing, lab, pharmacy, or payment data is not treated as PHI? |
| Found | Privacy Policy (updated August 2024); HIPAA-maintained information covered by HIPAA NPP | Separates the general privacy policy from HIPAA-covered information; lists multiple contracted medical groups. | Which medical group holds my GLP-1 medical record, and can you send me their current HIPAA Notice of Privacy Practices before I complete intake? |
| Calibrate | Notice of Privacy Practices (updated October 2025); Privacy Policy (updated October 2025) | Privacy policy says it does not cover PHI collected by contracted practices; NPP describes Calibrate's practices and providers. | If my employer, insurer, or benefits program is involved, what individual-level data can they see versus aggregate-only data? |
| WeightWatchers Clinic | Notice of Privacy Practices; Consumer Health Data Privacy Statement (updated October 2025) | Consumer Health Data statement says it does not apply to information collected from WeightWatchers Clinic patients, who are directed to the NPP. | What data flows between WeightWatchers, WeightWatchers Clinic, app features, coaching, membership, pharmacy, and the clinical record? |
| Noom / Noom Med | Noom Privacy Policy; HIPAA Notice (updated December 2025) | Discloses collection of personal, technical, and health information; discloses marketing/advertising uses and advertising-provider data collection. | Which Noom Med data is treated as PHI, and which Noom app, coaching, behavioral, advertising, or partner data is handled under the general privacy policy? |
| PlushCare | HIPAA Notice of Privacy Practices; Privacy Policy; Consumer Health Data Privacy Policy | Separates HIPAA/PHI from general policy/consumer health data notice; references AI Care Assistant use in some contexts. | Does the AI Care Assistant process my PHI? What vendors support it, and what data is shared with my health plan or other partners? |
| Sesame | Privacy Policy (updated September 2024) | Says it covers PII and PHI uploaded through the service/app; discloses cookies and Google Analytics. A separate provider-specific NPP was not visible from the privacy page in our review. | Before I book, can you show me the provider or practice's HIPAA Notice of Privacy Practices and explain whether Sesame or the clinician holds my medical record? |
| Henry Meds | Notice of Privacy Practices (updated May 2026); Privacy Policy | Separates HIPAA NPP from general privacy policy; care is described as being delivered through independent professional entities. | Which independent professional entity treats me, which pharmacy receives my information, and which platform data is outside the NPP? |
| LifeMD | Notice of Privacy Practices (updated May 2026); Privacy Policy (updated November 2025) | NPP describes affiliated medical groups and an Organized Health Care Arrangement (OHCA); the privacy policy notes a different policy covers non-medical services and that HIPAA may not apply to all transactions or communications. | Which parts of my interaction are medical services covered by the NPP, and which are non-medical services covered by the general privacy policy? |
| Zealthy | Notice of Privacy Practice (updated March 2025); Privacy Policy (updated November 2025) | States that Zealthy itself is not a HIPAA-covered entity and that HIPAA may not apply to all transactions or communications with Zealthy or providers. | In my state and program, which entity is acting as my HIPAA-covered provider, and which Zealthy account, shipping, or payment data is not protected medical information? |
| Eden | Privacy Policy (effective January 2026); Washington My Health My Data link visible | Public privacy policy includes online analytics/advertising, aggregate/de-identified data, and marketing disclosures. A separately linked HIPAA NPP was not visible from the privacy page in our review. | Before I submit health data, can you provide the HIPAA Notice of Privacy Practices, the name of the treating medical group, and the pharmacy that will receive my information? |
What the audit tells us
- •Most of the 12 providers publish a HIPAA Notice of Privacy Practices visibly. A handful do not link one cleanly from the privacy or footer pages we checked — for those, that's the first question to ask.
- •A minority explicitly publish a separate consumer-health-data policy (or a Washington My Health My Data notice). Those that do tend to be the larger national brands.
- •Most providers explicitly distinguish PHI handled by the medical group from platform/account/marketing data handled under a general privacy policy. The line is less clear in some of the smaller providers.
- •Few providers name specific advertising or analytics vendors in their disclosures. Ro is among the providers that do; vague "service providers" language is more common.
How does your state law protect your GLP-1 telehealth data?
State consumer-health-data rights matrix
| State | Law | Effective | Key rights for GLP-1 telehealth consumers |
|---|---|---|---|
| Washington | My Health My Data Act (RCW 19.373) | March 31, 2024 (regulated entities); geofencing July 23, 2023 | Affirmative opt-in consent required to collect or share consumer health data; right to a list of every third party your data was shared or sold to; right to deletion; right to withdraw consent; geofencing around health facilities banned; private right of action via WA Consumer Protection Act. |
| Nevada | SB 370 | March 31, 2024 | Consent, notice, and security duties for consumer health data; restricts geofencing; enforced as a deceptive practice by the Nevada Attorney General. |
| Connecticut | Connecticut Data Privacy Act (CTDPA) + Public Act 23-56 amendments | July 1, 2023 (CTDPA); October 1, 2023 (Public Act 23-56) | Consumer-health-data controllers covered without the usual size/revenue thresholds; geofencing restricted near mental, reproductive, and sexual health facilities. |
| California | CCPA/CPRA + CMIA + AB 352/AB 254 | Various 2020–2024 | General CCPA/CPRA rights for personal and sensitive personal information; CMIA protections for medical information; AB 352/AB 254 reproductive-, sexual-, and gender-affirming-health protections. |
| All other states | HIPAA where applicable + FTC Act §5 + Health Breach Notification Rule (updated July 29, 2024) + state breach-notification and consumer-protection statutes | Federal + state | Rights vary by state. Check your state attorney general's site and the provider's state-specific notice. |
Sources: Washington State Attorney General (atg.wa.gov); RCW 19.373; NV SB 370; CT Public Act 23-56 and Connecticut Attorney General guidance; California Civil Code §§1798.100 et seq.; FTC Health Breach Notification Rule (Federal Register, May 2024).
Practical leverage
If you live in Washington, Nevada, Connecticut, California, or another state with applicable privacy rights, send this:
Copy-paste state-law data rights request
Under the privacy law that applies to my state, I am requesting: (1) access to the health, account, marketing, and consumer-health data you maintain about me; (2) deletion of data you are legally permitted to delete; (3) opt-out of any sale, sharing, or targeted advertising involving my data; and (4) the list or categories of third parties, affiliates, or processors you are required to disclose. Please respond within the timeline required by my state's law.
Who can actually see your GLP-1 prescription and weight data?
The four data paths
Your clinician and pharmacy
Always involved. Your prescriber writes the order; the pharmacy fills it. Standard HIPAA protections apply.
Insurance and PBMs
If insurance is billed for your GLP-1 — including prior authorizations — your health plan and your pharmacy benefit manager will see the prescription. PBMs include companies like Caremark, Express Scripts, and Optum Rx. Their records of your fill history may also feed into other data services if you've consented to that anywhere (and many people have without realizing it).
Employer benefits programs
If you signed up for a GLP-1 through your employer's benefit, the program may share aggregate reports with HR — for example, average weight loss across enrolled employees — but should not share individual data. Plan-sponsor access depends on the plan structure, the vendor's reporting practices, and HIPAA roles. Confirm what your employer specifically receives, in writing, before you enroll.
Cash-pay direct-to-consumer
When you pay cash and skip insurance entirely, you cut the insurance and PBM out of the picture. That's a meaningful privacy gain. But it doesn't make you anonymous. The provider, pharmacy, payment processor, and shipping carrier still have your data. And any pixels on the provider's site still fire.
Cash-pay vs. insurance: a practical comparison
| Question | Cash-pay DTC route | Insurance-billed route |
|---|---|---|
| Does your insurer see the prescription? | Usually no (if you submit no claim) | Yes |
| Does your PBM record the fill? | Usually no (unless you used a PBM-linked discount card or rebate program) | Yes |
| Could your employer's health plan see claims? | Usually no | Claims go to the health plan; employer or plan-sponsor visibility depends on plan structure and vendor reporting |
| Does the provider still have your full record? | Yes | Yes |
| Could a pixel leak still happen? | Yes — if the provider runs trackers on health pages | Yes |
| Is it usually cheaper? | Often more expensive per month for compounded GLP-1s; varies for FDA-approved | Often cheaper if covered, more expensive if not |
What about pharmacies, labs, and compounded GLP-1s?
Pharmacy questions to ask
- •What is the legal name of the pharmacy?
- •Is it state-licensed where you ship to me?
- •If it's a compounding pharmacy, is it a 503A pharmacy or a 503B outsourcing facility?
- •What information do you share with the pharmacy beyond the prescription itself?
- •Does the shipping label or billing descriptor reveal the medication?
- •Can I contact the pharmacy directly with questions about my fill?
Lab questions to ask
- •Which lab company will draw my labs (LabCorp, Quest, or a home test kit)?
- •Are lab orders billed to my insurance, or paid cash directly?
- •Who receives the results?
- •Are lab results ever used for research, marketing, or analytics?
A note on compounded GLP-1s
How to verify a provider's privacy claims yourself — the 5-minute Pixel Self-Check
Method 1: The browser way (most accurate, takes 5 minutes)
- 1Open the GLP-1 provider's intake quiz or "Get Started" page in Chrome, Safari, or Firefox.
- 2Right-click anywhere on the page and select Inspect (or press F12 on Windows / Option+Command+I on Mac).
- 3Click the Network tab at the top of the Developer Tools panel.
- 4Refresh the page (Cmd-R or Ctrl-R).
- 5In the Network filter box, type facebook. Look at what loads. Calls to connect.facebook.net or facebook.com/tr are the Meta Pixel firing.
- 6Clear the filter and type google-analytics. Then doubleclick. Then tiktok. Then bing. Then criteo.
- 7If any of those fire on a page that's asking about your weight, BMI, medications, or medical history — that's the pixel-leak risk the FTC has been enforcing against.
What's OK: first-party analytics the provider can explain in its privacy policy or HIPAA documentation. What's not OK: unexplained third-party advertising trackers loading on a page where you're being asked about your health.
Method 2: The browser-extension way (faster, less granular)
Install one of these free privacy tools and visit the same page:
- •Ghostery — Shows you every tracker on the page with one click
- •Privacy Badger (Electronic Frontier Foundation) — Same idea, plus blocks them
- •DuckDuckGo Privacy Essentials — Easiest for non-technical users; shows a privacy grade
What to do with what you find
The Provider Response Grader: scoring the answers you get back
Don't grade by vibes. Use a simple 0–2 score across 10 categories. The strongest answers are dated, specific, written, and tied to visible documents; the weakest are vague, promotional, or arrive with pressure to enroll before you've finished asking. This is a response-quality score — how well a provider answers your questions, which is the only thing you can actually verify before you become a patient.
Provider Response Grader
Score each category 0 (worst) → 2 (best) based on the answers you received
1. HIPAA NPP availability
2. HIPAA boundary explanation
3. Medical group named
4. Pharmacy named
5. Tracking/pixel disclosure
6. Vendor sharing
7. Communication options
8. Rights request process
9. Breach contact
10. Cancellation and retention
Your total score
0 / 20
0–6 pts: Do not submit data
Do not enter sensitive data until they clarify in writing. If they won't, that's a clear "next provider."
What if I already signed up — and now feel uncomfortable?
Step 1: Save evidence
Screenshot, with date:
- •The intake pages you completed
- •The privacy policy, NPP, and consumer health data notice on the date you signed up
- •Any emails or texts from the provider
- •Payment receipts and pharmacy labels
- •Cancellation terms
Step 2: Submit your requests
Copy-paste post-enrollment data rights request
Hello — I am exercising my data rights as a patient and as a consumer. Please send me: (1) under HIPAA, a copy of my designated record set, including all clinical encounters, prescriptions, lab results, and provider notes, within the timeline required by HIPAA; (2) under the privacy law that applies to my state, or your privacy policy, the list or categories of third parties, affiliates, or processors with whom you have shared or sold my consumer health, account, or marketing data; (3) confirmation of my marketing opt-out and targeted-advertising opt-out; (4) deletion of my non-clinical account, marketing, and consumer health data, with confirmation by email. Please reply within the timeline required by my state's law or 30 days, whichever is shorter.
Step 3: Escalate if you don't get a real reply
- •For HIPAA issues involving your medical record: HHS Office for Civil Rights complaint portal at hhs.gov/ocr
- •For deceptive privacy claims, hidden billing, fake reviews, or unfair cancellation: FTC complaint portal at reportfraud.ftc.gov
- •For state consumer health data rights (Washington, Nevada, Connecticut, California, etc.): Your state attorney general's consumer protection office
- •For misleading compounded GLP-1 marketing: FDA at fda.gov
Pre-enrollment checklist (the 10-minute version)
Before you submit a single intake form, open these documents and verify these facts. If anything is missing, ask before you enroll — not after.
- 1Open the provider's Privacy Policy. Note the date. Look for ad-network names.
- 2Find and open the HIPAA Notice of Privacy Practices. It should be linked from the footer or a "Legal" page.
- 3Open the Consumer Health Data Privacy Policy if applicable. Required for many Washington-state operators; also check if you live in WA, NV, CT, or CA.
- 4Open the Telehealth Consent if one is linked.
- 5Open the SMS / email terms.
- 6Locate the medical group's legal name.
- 7Locate the pharmacy's legal name and license category. (or note that it isn't disclosed).
- 8Find the privacy contact. Officer name, email, or postal address.
- 9Check the tracking / advertising section of the privacy policy. Cross-check with the Pixel Self-Check above.
- 10Screenshot every key page with today's date before you enroll. If anything changes later, you'll have a record of what they told you originally.
What we actually verified (and what we didn't)
What we verified for this guide, in May 2026
- Every FTC enforcement action cited above against the sourced FTC press release at ftc.gov.
- Every state law cited above against the state legislature's published statute, the state attorney general's consumer guidance, or both.
- The HIPAA scope claims against HHS guidance at hhs.gov (specifically 45 CFR 160.103 and the HHS Office for Civil Rights tracking-technology guidance).
- The FDA 30-warning-letter action against the FDA's published press announcement of March 3, 2026.
- The FDA April 30, 2026 proposed exclusion of semaglutide, tirzepatide, and liraglutide from the 503B Bulks List.
- The 12 providers' privacy policies, HIPAA notices, and consumer health data policies by opening each public page on the dates noted.
- The Markup / STAT tracker investigation by reviewing their published methodology and findings.
- The University of Baltimore Law Review article noting Hims & Hers' tracker count: The GLP-1 Telehealth Boom: Can HIPAA Keep Up with Consumer Privacy Risks?, October 20, 2025.
What we did not do
- Create accounts with any of the 12 providers.
- Complete intake forms or fill in any health data.
- Inspect authenticated patient portals or logged-in pages.
- Run our own technical pixel audit on intake forms.
- Review business associate agreements, vendor contracts, or backend security.
- Conduct any form of legal compliance audit.
- Rank providers as "most private" or "least private." Public disclosure is one signal; we don't have the technical or legal access to grade compliance.
Frequently asked questions about GLP-1 provider privacy
How to compare two GLP-1 providers on privacy
Pick the same five categories for each provider and score side by side: HIPAA boundary clarity, third-party disclosure, tracking practices on intake pages, rights-request process, and breach response. The provider that gives you specific, dated, written answers to your questions wins on privacy — regardless of which is cheaper, faster, or more famous.
Use the Provider Response Grader above. Same 10 categories, same 0–2 scoring. Tally each provider. The numbers tell you who's willing to be transparent.
What's next
You now have the 17 questions, the FTC enforcement record, the 12-provider audit, the state-rights matrix, the Pixel Self-Check, the Response Grader, and the post-enrollment escalation path. If you started this page worried, you should leave it equipped.
If a single provider failed your test, you don't owe them an enrollment. There are dozens of GLP-1 telehealth companies right now. The ones that answer your questions clearly are the ones worth your data.
Update log
| Date | What changed | Verified by |
|---|---|---|
| First publication. 12-provider public disclosure audit completed. FTC enforcement table verified against ftc.gov press releases. State law matrix verified against published state statutes and state attorney general guidance. FDA actions (March 3, 2026 warning letters; April 30, 2026 503B Bulks List proposal) verified against fda.gov. | WPG Editorial Team |