Your employees love telemedicine. It's fast, easy, and they don't have to sit in a waiting room. But there's a quiet problem brewing under the surface, and it's not a hacker in a hoodie stealing records. It's something far more subtle-and far more dangerous for anyone running a self-funded health plan.
The problem is this: your telemedicine platform is likely sharing data about your employees with third parties you'd never expect. And that data isn't just being used for "research" or "quality improvement." It's being used to price your insurance risk. Yep. The very same vendor you hired to lower costs could be handing your underwriter the ammunition to raise your rates.
The Three Ways Data Leaks Without You Noticing
Most benefits leaders I talk to ask one question during vendor vetting: "Are you HIPAA compliant?" The answer is always yes. But HIPAA is the floor, not the ceiling. Here's what nobody is looking at:
1. Metadata is a goldmine
Every time an employee opens the app, the vendor collects metadata. Time of day. Condition category. Frequency of visits. Is there a sudden spike in mental health visits after a restructuring? A surge in GLP-1 inquiries? That's not just anonymous data-it's a leading indicator for future claims. And it's being sold.
2. "De-identified" data is a myth
Many platforms sell aggregated data to pharma companies and data brokers. They claim it's anonymous. But if you have a plan with 500 employees and one person has a rare condition, that data is effectively identifiable. The promise of de-identification is often a legal fiction.
3. The PBM connection is the real danger
Here's the kicker: a growing number of telemedicine platforms are owned by, or have deep data-sharing deals with, Pharmacy Benefit Managers (PBMs). That means the data on what medications your doctor prescribed flows directly to the PBM. And that same PBM is the one you're trying to audit for spread pricing and hidden rebates. You're handing your adversary the playbook.
Why This Is an ERISA Time Bomb
Under ERISA, fiduciaries have a duty to act solely in the interest of plan participants. If your telemedicine vendor shares data that allows your stop-loss carrier to reprice your renewal-because they saw your group's rising GLP-1 usage-that's a direct violation of that duty. Even worse: if an employee's sensitive health info leaks to a life insurer or future employer, you could be on the hook for breach of fiduciary duty.
The question you should be asking isn't "Are you HIPAA compliant?" It's these:
- Who owns the metadata?
- Do you sell any data-aggregated or otherwise-to third parties?
- Do you have a data-sharing agreement with my PBM?
- Can you guarantee that no claim-relevant data leaves your system?
If the answers are vague, you have a problem that won't show up on a compliance checklist until it's too late.
The Solution: Data Sovereignty as a Fiduciary Tool
This is why the next generation of benefits platforms-like the integrated health-to-wealth systems being built today-offer a different approach. Instead of a patchwork of point solutions that each own a slice of your data, these ecosystems keep everything in-house. The data never leaks. It's used only to improve employee health and lower plan costs, not to feed underwriters or data brokers.
That's not just a privacy feature. It's a fiduciary advantage. And it's the only way to avoid the silent leak that's already happening in thousands of employer plans.
What to Do This Week
- Audit your telemedicine vendor's data agreements. Don't accept boilerplate. Ask for a clear description of every third party that touches the data.
- Demand a "no data lipase" clause. Require that the vendor cannot share-even in de-identified form-any data that could be used for underwriting or pricing.
- Request a data hygiene certification. A third-party audit of data flows, not just a SOC 2 report.
- Consider an integrated ecosystem. Fewer hands on the data means less risk.
Telemedicine isn't going anywhere. But the way you buy it-and trust it-needs to change. The leak is silent, but the consequences are loud.