photo of telehealth video call

Ro Telehealth Data Tracking & privacy Investigation

The Lyon Firm is investigating Ro telehealth websites for potential data tracking technology, and health privacy violations.

According to a recent investigation published on The Markup website, popular telehealth websites, including Roman have allegedly been using data tracking tools, and sharing users’ medical and personal information to Facebook and other big tech companies.

This private information on telehealth websites (Roman, Ro) is often shared with tech companies with the use of tracking code and without user consent.

The Markup reported that 49 direct-to-consumer telehealth companies had a third-party tracking code on their site, with the potential to share data with third parties. The study follows another privacy report that revealed many healthcare systems in the U.S. using tracking code on their web portals.

In many cases, user answers to medical questionnaires regarding health conditions, medical histories, and drug use were sent to big tech firms. Dozens of the telehealth websites shared email addresses, phone numbers, and full names.

Collected information from some websites are sent to Meta, Google, TikTok, Bing, Snap, Twitter, LinkedIn, and Pinterest, possibly for the future use in targeted advertising.

Ro is a website geared toward patients seeking treatments for erectile dysfunction, weight loss, skincare, mental health, fertility, and hair loss.

In response to the investigation, a spokesperson from Ro released this statement:

“We are strongly committed to creating a safe place for our patients to access and receive care, which requires protecting patient privacy and complying with applicable laws and regulations. While we are not a HIPAA Covered Entity as we are an all-cash pay business, we nonetheless undertake serious efforts to protect our patients’ health information. We maintain and adhere to an up-to-date and comprehensive Privacy Policy for our patients. Additionally, we have a Data Subject Access Request program that allows our patients to exercise their rights to opt-out and exercise data deletion consistent with state laws. We continually evaluate our practices and follow the evolving legislative and regulatory landscape to ensure the appropriate protection of patient health information.”

Can I Sue Ro for HIPAA Violations?

The Lyon Firm is still investigating whether any data collection process was unlawful. Remote healthcare providers are HIPAA-covered entities and disclosures of protected health information are therefore restricted by the HIPAA Privacy Rule. The HHS’ Office for Civil Rights has confirmed that the use of third-party tracking code on health websites violates HIPAA if that tracking code collects and transfers protected health information (PHI) to third parties unless the third party qualifies as a business associate.

But, sometimes telehealth websites are not actually bound by HIPAA rules, but more often the information collected through these websites is passed on to HIPAA-covered entities. In a scramble to protect themselves, some have begun removing tracking technology from their websites to review the legality of their business.

Some healthcare systems have added these tracking technologies to their websites to improve the user experience, while others may be benefiting financially.

The question is more about transparency, as many users are unaware that information they provide directly through answers on web forms and medical questionnaires can be shared with other companies.

It is also unclear to consumers how the big tech companies use the transferred data, though there are some obvious theories. Meta has been named a defendant in several privacy lawsuits, some of which allege health data has been used to serve targeted advertising.

Experts have said new regulation is needed because the current privacy regulations like HIPAA were not made for telehealth companies like Roman and Ro, leaving huge gaps in the law.

If you have reason to believe your personal information has been compromised by any telehealth company, contact the Lyon Firm to discuss your personal privacy and potential legal action.