Lilly direct-selling Zepbound at $499/mo — compare with 11 other programs
Affiliate disclosure: we earn commission from some partners. Learn more.
Weight Loss· Editorial-reviewed against primary sources

Telehealth privacy: how PHI flows in 503A compounding (2026)

When you sign up for a telehealth GLP-1 subscription, your PHI passes through 3-5 distinct entities — provider group, telehealth platform, pharmacy, sometimes a marketing platform. Here's the realistic map.

By WeighedHealth Editorial

5 min readUpdated

0-5 entities
typical PHI handoffs per telehealth subscription
HIPAA BAA
the contract that should bind each handoff
FTC Act §0
non-HIPAA jurisdiction for marketing data
Pixel tracking
the most common HIPAA violation vector in 2024-2025

The entities involved in a typical subscription

When you sign up for a telehealth GLP-1 subscription, the visible interface is a single brand — the website you fill out the intake form on. Behind that interface, your PHI typically flows through three to five distinct legal entities, each with its own privacy obligations.

Entity 1 — the telehealth platform itself. This is the brand you signed up with. The platform is usually not a healthcare provider; it's a technology company that operates the website, processes payments, and manages logistics. Under HIPAA, the platform is typically a Business Associate of the provider group rather than a covered entity itself.

Entity 2 — the contracted provider group. The clinician who reviews your intake and writes your prescription is usually employed by a separate provider group that contracts with the platform. This group is the actual HIPAA-covered entity. Your medical record technically lives with this group, not the platform.

Entity 3 — the dispensing pharmacy. Either a 503A compounding pharmacy or a retail pharmacy. The pharmacy is a separate HIPAA-covered entity. It receives the prescription and dispenses the medication.

Entity 4 (sometimes) — a payments processor and shipping vendor. These are usually Business Associates with limited PHI exposure (billing information rather than medical detail).

Entity 5 (sometimes) — a marketing platform or advertising network. This is the entity that produces the highest privacy risk. Marketing platforms are NOT typically HIPAA Business Associates, and data shared with them often falls outside HIPAA jurisdiction.

Pixel tracking: the dominant 2024-2025 violation pattern

Through 2023-2025, the FTC and HHS Office for Civil Rights brought a series of enforcement actions against telehealth companies for sharing PHI with advertising platforms via tracking pixels — small pieces of code from Meta, Google, TikTok, and similar companies embedded in webpages. When a user fills out an intake form on a page containing these pixels, the form data can be transmitted to the advertising platform along with the user's identifier.

The pattern flagged by enforcement: users entering 'I want to lose weight' and 'BMI 32' and '[email protected]' into an intake form, and that information being transmitted to Meta Ads where it became the basis for targeted advertising. The legal issue is that the intake page is sharing health information with a third party that does not have a HIPAA Business Associate Agreement with the provider group.

Most telehealth platforms removed the most aggressive pixel implementations after the 2023-2024 enforcement wave. Current practice is more variable — some platforms removed pixels from intake pages entirely, others use 'conversions API' implementations that send data server-side after de-identification. The practical signal for consumers: if a platform's intake form is loaded with third-party trackers visible in your browser's developer tools, the privacy posture is questionable regardless of what the privacy policy claims.

What HIPAA covers and what it doesn't

HIPAA covers PHI in the hands of covered entities (the provider group, the pharmacy) and Business Associates with signed agreements. PHI shared with these entities for treatment, payment, and healthcare operations is permitted without additional consent.

HIPAA does NOT cover health information you share outside the covered-entity relationship. Health information you post on social media, type into a non-HIPAA-compliant tool, or share with a marketing platform without a BAA falls outside HIPAA jurisdiction. The FTC Act §5 (deceptive practices) is the primary federal jurisdiction for those cases, supplemented by state consumer-protection laws.

Practical implication: the privacy policy of the telehealth platform matters. Read the section on data sharing with 'service providers' and 'partners'. Look specifically for: whether advertising platforms are listed as recipients; whether 'aggregated' or 'de-identified' data is shared and how aggregation is defined; whether you have the right to request deletion.

503A compounding adds a specific layer

When the dispensed product is a 503A compounded GLP-1 (rather than brand Wegovy or Zepbound), the pharmacy has additional documentation requirements. State boards of pharmacy require 503A pharmacies to document patient-specific medical necessity, which means more granular clinical information typically passes from the provider group to the pharmacy than in a standard retail dispensing relationship.

This documentation requirement creates additional PHI flows that don't exist in retail dispensing. It also means 503A pharmacies maintain more detailed patient records that may persist longer than retail dispensing records. Some state boards require 503A pharmacies to maintain records for 5-7 years; retail dispensing is often 2-3 years.

The legal posture is sound — these are all covered entities operating under HIPAA. The practical implication is that more entities hold more detailed information about you for longer when you use a 503A compounded product.

Realistic privacy hygiene for users

Use a dedicated email address for telehealth signups. This limits cross-platform identification and makes it easier to detect when data flows beyond authorized use (marketing emails to that address from unaffiliated companies are a strong signal of data sharing).

Don't sign up for telehealth services using employer-provided devices or networks. Employer device management software can capture activity, and some corporate networks log domain access in ways that could expose health-related browsing.

Review the platform's privacy policy specifically for: data retention period after account closure; categories of third-party recipients; explicit statements about advertising pixel use; the procedure for requesting deletion or access to your records.

Be skeptical of 'free' tools that ask for health information up front. A free BMI calculator that requires your email and phone before showing results is collecting marketing leads, not providing a clinical tool.

Sources

Primary sources cited above. FDA labeling, peer-reviewed trials, and specialty-society guidelines only.

  1. HHS OCR: Use of Online Tracking Technologies by HIPAA Covered Entities · U.S. Department of Health and Human Services, 2023
  2. FTC Health Breach Notification Rule · Federal Trade Commission, 2024
  3. USP 797 Pharmaceutical Compounding — Sterile Preparations · United States Pharmacopeia, 2023

Related reads

Share: