This review contains affiliate links. We earn a commission if you sign up with a provider through our links, at no extra cost to you. It has no bearing on how we evaluate or rank providers — see our full disclosure policy.

Most people assume anything they tell a telehealth platform is automatically as protected as what they'd tell a doctor in an exam room. That assumption has been wrong often enough, and expensively enough, that it's worth actually understanding the rules rather than trusting the vibe of a privacy policy nobody reads.

The enforcement record, briefly

Since 2023, the FTC has taken action against a string of digital health companies for sharing sensitive health data with advertising platforms through tracking pixels — small pieces of code that quietly report user activity to companies like Meta and Google. GoodRx paid $1.5 million. BetterHelp paid $7.8 million in consumer refunds for sharing mental health information with Facebook and others. Cerebral was fined $7 million. Across roughly 19 documented cases between 2023 and 2025, penalties and settlements tied to this exact pattern have exceeded $100 million.

$100M+ total penalties across ~19 pixel-tracking privacy cases in U.S. healthcare, 2023–2025
130 hospital systems and telehealth providers formally warned by FTC and HHS about tracking risks in 2023
2026 year state health-data privacy laws like Washington's MHMDA became a major compliance driver

Why "it's healthcare, HIPAA covers it" is wrong more often than people think

HIPAA only applies to "covered entities" — doctors, hospitals, health plans, and their direct business associates. A large share of telehealth-adjacent apps and platforms simply don't meet that definition, even though they're collecting information that feels exactly as sensitive as what a doctor's office would ask. That gap is exactly where the FTC's Health Breach Notification Rule has stepped in, treating unauthorized disclosure of health data as a reportable breach even for companies HIPAA doesn't reach.

The short version

Being HIPAA-compliant is a real and meaningful standard. But "we're not required to follow HIPAA" doesn't mean a platform can do whatever it wants with your data — it means a different regulator (usually the FTC, sometimes a state law) is the one enforcing the boundary instead.

What was actually happening in the cases that got fined

The common pattern across GoodRx, BetterHelp, Premom, and Cerebral: embedded tracking code on the website or app — often for ordinary-seeming analytics or advertising purposes — transmitted details like symptoms entered into an intake form, appointment types booked, or even specific health conditions searched, to third parties like Meta and Google, usually without the kind of clear, specific consent regulators consider adequate. In one notable case, a federal jury found Meta liable under California's privacy law for collecting menstrual and reproductive health data through a period-tracking app's embedded software — the data flowed out via code most users never knew was there.

What's changed in the platforms doing this well

Partly due to regulatory pressure and partly due to browser changes that broke third-party tracking anyway (Safari and Firefox now block or limit third-party cookies by default), many telehealth companies rebuilt their data infrastructure in 2025–2026 around first-party data collection and server-side processing that doesn't route sensitive information through ad-tech companies at all. That's a genuinely better architecture from a privacy standpoint, not just a compliance workaround.

What to actually check before you use a platform

A tracking pixel doesn't ask permission. It just runs, quietly, in the background of a form you filled out because you were worried about a symptom.

A provider worth knowing for its privacy practices

The provider below has publicly documented its handling of patient data as part of its platform standards.

Reviewed providers

A provider with documented privacy standards

Sesame Care HIPAA-compliant

Sesame operates as a HIPAA-compliant platform with a published privacy policy specific to how patient data is handled across its provider marketplace.

See Sesame Care's privacy policy →

The bottom line

Telehealth doesn't automatically mean your data is treated with the same care a doctor's office would give it — the enforcement record over the past three years proves that convincingly. It also doesn't mean the opposite. The difference comes down to specific companies making specific choices about their data infrastructure, and those choices are usually disclosed somewhere in a privacy policy most people never open. Open it anyway, at least once.