What Your GLP-1 Intake Form Is Actually Doing With Your Data
You clicked a Facebook ad, landed on a GLP-1 telehealth site, and filled out a form that asked your weight, height, medical history, psychiatric history, the medications you're on, your insurance status, whether you've ever had a thyroid tumor, and — somewhere around field 47 — your credit card number. Where did all of that just go?
The short answer: further than you think, to more places than you'd expect, and not all of those places are covered by the privacy protections people assume apply.
This isn't a piece about scare tactics. HIPAA is real, it has teeth, and most legitimate GLP-1 telehealth platforms do follow it. But the intake form is the messiest junction in the entire process, because it sits at the boundary between marketing (where HIPAA doesn't apply) and medical care (where it does). The line between those two things is thinner than the industry likes to admit.
The three stages of your intake form
Think of the form as a relay race with three legs. Your data changes legal status at each handoff.
Leg 1: The landing page (pre-HIPAA)
Before you're a patient, you're a lead. The first few questions — usually name, email, state, and some qualifying info like height and weight — are collected by the marketing side of the business. At this stage, the company isn't yet a covered entity under HIPAA with respect to you. The landing page is a funnel, and that funnel is often built with the same third-party tracking tools that power every other e-commerce site on the internet: Meta pixels, Google Analytics, TikTok pixels, and various marketing attribution platforms.
What this means practically: if you abandon the form before completing it, the fragments you submitted may have already been sent to Meta or Google for ad targeting purposes. Even if you complete it, the existence of your interaction — that you, at your IP address, visited a GLP-1 site — is often in those systems.
Leg 2: The medical questionnaire (HIPAA kicks in)
Once you establish a provider-patient relationship — usually signaled by creating an account, paying, or explicitly consenting to evaluation — the data becomes Protected Health Information (PHI). From that moment, the telehealth company is a covered entity and must handle your data under HIPAA.
This is the leg where the serious medical questions live: psychiatric history, history of pancreatitis, thyroid cancer family history, current medications, eating disorder history, pregnancy status. All of this is PHI. Legally, the company can only use it for treatment, payment, or healthcare operations, plus whatever you specifically authorize.
Leg 3: Downstream sharing
This is where it gets complicated. Your PHI typically moves through several partners, each a "business associate" under HIPAA:
- The telehealth platform software (often a white-labeled EHR)
- The prescribing clinician's practice group (frequently a separate PC/PLLC entity)
- The compounding pharmacy or dispensing pharmacy
- The lab, if blood work is part of the protocol
- The payment processor (limited to financial data)
- The shipping carrier (limited to name and address)
Each of those entities has signed a Business Associate Agreement (BAA) with the telehealth brand, or at least is supposed to have. They're contractually bound to HIPAA. If you're working with a legitimate company, this chain is tight and documented.
The fields you probably didn't think about
Every GLP-1 intake form asks for certain categories of information. Here's what each is really for — and where it ends up.
| Field | Stated purpose | Where it typically goes |
|---|---|---|
| Height, weight, goal weight | BMI calculation, medical eligibility | EHR, prescribing clinician, often retained indefinitely |
| Before/after photos (some platforms) | Progress tracking | EHR; some platforms ask for rights to use anonymized photos in marketing — read that consent carefully |
| Psychiatric history | Screen for contraindications (e.g., eating disorders, certain SSRIs) | EHR, clinician; generally stays inside PHI |
| Family history of thyroid cancer / MEN2 | Boxed warning screening | EHR, clinician |
| Driver's license or ID photo | Identity verification, age verification | KYC vendor (often a third party like Jumio, Persona, or similar); sometimes retained, sometimes not — depends on the vendor |
| Insurance card | Billing, coverage checks | Payer portals, billing system |
| Credit card | Payment | Payment processor (Stripe, Braintree, etc.) — this is PCI-regulated, separate from HIPAA |
| Email and phone | Communication | EHR + marketing CRM + SMS provider; frequently used for re-engagement campaigns |
Three uses of your data that are legal but surprising
Most people assume "HIPAA" means "no one can do anything with my data." Not quite. Here are three legitimate, compliant uses you may not have anticipated:
1. "Healthcare operations" is broad. HIPAA lets covered entities use PHI for quality improvement, training, utilization review, and internal analytics without your specific authorization. That includes aggregated analysis of their own patient base — how many people at what BMIs respond to what doses. Your individual record feeds that analysis.
2. De-identified data can be sold. If a dataset is properly de-identified under the HIPAA Safe Harbor method (18 specific identifiers removed) or a statistical expert certifies it as de-identified, it stops being PHI and can be sold or shared freely. Many telehealth companies monetize anonymized outcomes data through research partnerships.
3. Marketing communications you opted into. The fine print of most intake forms includes an opt-in to receive treatment-related communications. That's often broad enough to cover promotional messages about new products, referral offers, and retention campaigns.
The five red flags on an intake form
- No privacy policy linked from the form itself. If you have to hunt through the footer to find one, that's a choice.
- Pre-checked consent boxes for "marketing partners" or "third-party offers." Any consent worth having should be opt-in, not opt-out.
- Demands for your ID photo before any eligibility screening. Some identity verification is reasonable; collecting your driver's license before you even know if you qualify is aggressive.
- Vague language about "affiliated partners" without naming them. A legitimate BAA chain is a short list of specific business associates, not an open-ended grant.
- "We may sell aggregated data" language with no explanation of the de-identification standard. The Safe Harbor method has specific requirements; if the policy doesn't mention them, the de-identification may not be rigorous.
What you can actually do
If you've already submitted a form and regret it, your options are real but limited:
- Request a copy of your PHI. HIPAA gives you a right of access. The company must provide your records, usually within 30 days, for a reasonable copying fee.
- Request an accounting of disclosures. For the past six years, you can ask who your PHI has been shared with (with some exceptions for routine treatment and payment).
- Delete your marketing profile. Separate from HIPAA, most privacy policies offer a mechanism to remove you from marketing lists. This is usually a footer link or a dedicated email address.
- Invoke state privacy laws if you're in a covered state. California (CMIA, CCPA), Washington (My Health My Data Act), and several other states have protections that go beyond HIPAA — especially for the pre-HIPAA marketing stage.
- File a complaint. HHS Office for Civil Rights handles HIPAA complaints. The FTC handles deceptive practices and Health Breach Notification Rule violations.
The honest bottom line
Filling out a GLP-1 intake form is not reckless. Most legitimate telehealth companies handle your data within HIPAA, and the protections are real. The nuance is that HIPAA's edges are fuzzier than people expect — especially at the marketing-to-medical handoff, in the de-identified research pipeline, and in the "healthcare operations" bucket.
Before you click submit, do three things: read the privacy policy (ctrl-F for "sell," "third party," "aggregate," and "affiliate"), check what consents are pre-checked, and look for a named pharmacy partner. If all three pass, you're probably fine. If any of them fail, you've at least made an informed choice.