Most people assume anything they tell a telehealth platform is automatically as protected as what they'd tell a doctor in an exam room. That assumption has been wrong often enough, and expensively enough, that it's worth actually understanding the rules rather than trusting the vibe of a privacy policy nobody reads.
The enforcement record, briefly
Since 2023, the FTC has taken action against a string of digital health companies for sharing sensitive health data with advertising platforms through tracking pixels — small pieces of code that quietly report user activity to companies like Meta and Google. GoodRx paid $1.5 million. BetterHelp paid $7.8 million in consumer refunds for sharing mental health information with Facebook and others. Cerebral was fined $7 million. Across roughly 19 documented cases between 2023 and 2025, penalties and settlements tied to this exact pattern have exceeded $100 million.
Why "it's healthcare, HIPAA covers it" is wrong more often than people think
HIPAA only applies to "covered entities" — doctors, hospitals, health plans, and their direct business associates. A large share of telehealth-adjacent apps and platforms simply don't meet that definition, even though they're collecting information that feels exactly as sensitive as what a doctor's office would ask. That gap is exactly where the FTC's Health Breach Notification Rule has stepped in, treating unauthorized disclosure of health data as a reportable breach even for companies HIPAA doesn't reach.
The short version
Being HIPAA-compliant is a real and meaningful standard. But "we're not required to follow HIPAA" doesn't mean a platform can do whatever it wants with your data — it means a different regulator (usually the FTC, sometimes a state law) is the one enforcing the boundary instead.
What was actually happening in the cases that got fined
The common pattern across GoodRx, BetterHelp, Premom, and Cerebral: embedded tracking code on the website or app — often for ordinary-seeming analytics or advertising purposes — transmitted details like symptoms entered into an intake form, appointment types booked, or even specific health conditions searched, to third parties like Meta and Google, usually without the kind of clear, specific consent regulators consider adequate. In one notable case, a federal jury found Meta liable under California's privacy law for collecting menstrual and reproductive health data through a period-tracking app's embedded software — the data flowed out via code most users never knew was there.
What's changed in the platforms doing this well
Partly due to regulatory pressure and partly due to browser changes that broke third-party tracking anyway (Safari and Firefox now block or limit third-party cookies by default), many telehealth companies rebuilt their data infrastructure in 2025–2026 around first-party data collection and server-side processing that doesn't route sensitive information through ad-tech companies at all. That's a genuinely better architecture from a privacy standpoint, not just a compliance workaround.
What to actually check before you use a platform
- Does the privacy policy specifically mention sharing data with advertising partners? If it's vague or silent on this, that's worth a direct question, not an assumption of "probably fine."
- Is the platform HIPAA-compliant, and does it say so explicitly? Not a guarantee of perfection, but a meaningful baseline.
- Does the intake form ask for more than it clinically needs? Data you never provide can't be leaked later.
A tracking pixel doesn't ask permission. It just runs, quietly, in the background of a form you filled out because you were worried about a symptom.
A provider worth knowing for its privacy practices
The provider below has publicly documented its handling of patient data as part of its platform standards.
A provider with documented privacy standards
Sesame operates as a HIPAA-compliant platform with a published privacy policy specific to how patient data is handled across its provider marketplace.
See Sesame Care's privacy policy → Paid linkThe bottom line
Telehealth doesn't automatically mean your data is treated with the same care a doctor's office would give it — the enforcement record over the past three years proves that convincingly. It also doesn't mean the opposite. The difference comes down to specific companies making specific choices about their data infrastructure, and those choices are usually disclosed somewhere in a privacy policy most people never open. Open it anyway, at least once.