Deleting Your GLP-1 Telehealth Account: What Actually Gets Removed
You finish treatment, decide to try a different platform, or just want out. You click the link that says "delete my account." Something happens, a confirmation email lands, and the thing feels closed. It isn't, not entirely. Here's what "account deletion" actually means at a GLP-1 telehealth company, and what you can do to close the gaps.
The three layers of your data
Your data at a telehealth company lives in three places, and each follows a different rulebook when you request deletion.
Layer 1: Account and marketing data
This is the easy layer. Your name on the marketing CRM, your email on the newsletter list, your account login, your saved shipping address, your order history from the e-commerce side. Under CCPA, CPRA, GDPR, and similar laws, you have a right to request deletion of personal data that isn't required to be retained. A reasonable company will delete this on request, usually within 30-45 days.
Layer 2: Medical records
Your medical records are different. Under state medical record retention laws, a healthcare provider is typically required to keep patient records for 6-10 years from the last date of service. In some states, records must be kept even longer for minors (until age of majority plus several years). This requirement exists for a reason: if a medical issue emerges later, the records must exist for both your benefit and the clinician's defense.
So when you "delete your account," the medical practice entity (the PC or PLLC that employed your prescribing clinician) will not delete your records. What they will do:
- Mark the chart inactive
- Close any open prescriptions or standing orders
- Stop sending you treatment-related communications
- Limit staff access to the inactive record
The records stay in the EHR for the state-mandated retention period. After that, they are destroyed according to the company's retention policy.
Layer 3: Downstream data (pharmacies, labs, payment processors)
Your data has left the telehealth platform and flowed to business associates. Each of those has its own retention obligations:
- Pharmacies: Prescription records, 2-5 years under DEA/state law; some state laws require longer retention.
- Labs: Lab results retained under CLIA and state law, typically 2-10 years.
- Payment processors: Transaction data retained under PCI and banking regulations, usually 7 years.
- Shipping carriers: Address data retained per carrier policy, typically 1-2 years.
When you delete your telehealth account, these downstream records are generally not affected unless you individually request deletion from each entity (and they have discretion about whether retention requirements permit it).
What a compliant deletion process looks like
A well-run telehealth company responds to a deletion request along these lines:
- Acknowledgment within 10 days. Confirms the request was received and the process has started.
- Identity verification. A reasonable step to prevent malicious deletion requests.
- Scope explanation. Clear statement of what will be deleted (marketing/account data) and what will be retained with legal basis (medical records for X years).
- Completion confirmation within 45 days. Specific notice that the account and associated marketing data have been removed.
- Information about next steps. How to request a copy of medical records before destruction, how to request full deletion at the end of the retention period, and how to pursue the right of access to residual data.
What a non-compliant process looks like
- No acknowledgment. You click the link, nothing happens.
- Pushback or retention. The company refuses to delete, cites vague legal obligations, or asks you to stay enrolled to "keep your records available."
- Buried or unavailable self-service. No obvious way to initiate deletion through the interface.
- Ongoing marketing after deletion. You delete your account, you still get emails a month later. This is a compliance failure and a complaint-worthy event.
Your rights, state by state (high level)
| State / law | What it gives you |
|---|---|
| California (CCPA/CPRA) | Right to deletion of personal information, with exceptions for medical records subject to CMIA and HIPAA |
| Washington (My Health My Data Act) | Strong right to delete consumer health data; exceptions for HIPAA-covered records |
| Virginia, Colorado, Connecticut, Utah | General deletion rights under state consumer privacy laws |
| All states (HIPAA) | Right of access to your records; right to request amendment; no general right to deletion of PHI during retention period |
| All states (FCRA) | Right to dispute and correct consumer reports, including prescription history reports |
The practical checklist
- Request a full copy of your records before initiating deletion. Under HIPAA's right of access, you can request medical records; under CCPA and similar, you can request a data export. Do this first — you can't get records after they've been destroyed.
- Initiate account deletion through the platform's self-service tool or written request. If neither exists, email the privacy contact listed in the policy.
- Separately request removal from marketing lists. Sometimes this is a different process than account deletion. Use the unsubscribe link on recent emails.
- If you had ID verification photos submitted, ask specifically for their deletion. These are often held by a third-party KYC vendor and need separate handling.
- Keep records of your deletion request. Screenshot everything. Save confirmation emails. These become evidence if you ever need to file a complaint.
- If the company doesn't respond within its stated timeframe, file complaints with your state Attorney General's office, the HHS Office for Civil Rights (for HIPAA-covered entities), and the FTC.
- Don't panic about medical record retention. It's a legal requirement and it's in your interest in most scenarios. After the retention period ends, you can ask again.
The uncomfortable truth about data permanence
Even with a perfectly executed deletion request, some information will persist. Aggregate analytics — the fact that a user at your IP address visited on a certain date — may be retained in marketing attribution systems for years. De-identified data that was already included in a research dataset cannot be "uncombined" from that dataset. Backups on archival storage may retain your information for longer than live systems, though reputable companies delete backups on their regular rotation schedule.
This isn't a reason to avoid requesting deletion. It's a reason to have realistic expectations. Deletion is a process of removing the data the company controls, not of erasing your past interactions from the internet.
The takeaway
Account deletion at a GLP-1 telehealth company is a real thing and worth doing, but it's not the same as total data removal. Your marketing profile and login data go; your medical records stay for the state-mandated retention period; downstream data at pharmacies, labs, and payment processors follows its own rules. The best thing you can do is: request your records before deletion, document the process, and hold the company accountable to its stated timelines. If they fail, the complaint channels work.