Join Phoebe Gutierrez In this solo episode of Telemedicine Talks as she drops a wake-up call: while you’re obsessing over DEA audits and state boards, the FTC is quietly screenshotting your checkout flow, your cancel button, and every pixel you fire to Meta. One $7M Cerebral fine later, the message is crystal clear—telehealth isn’t just medicine; it’s e-commerce on steroids, and the FTC owns the rulebook. Learn the three red flags that trigger an FTC letter, the ROSCA checklist that keeps you off their list, and the exact audit you can run today before regulators do it for you.
This episode is sponsored by Lightstone DIRECT. Lightstone DIRECT invites you to partner with a $12B AUM real estate institution as you grow your portfolio. Access the same single-asset multifamily and industrial deals Lightstone pursues with its own capital – Lightstone co-invests a minimum of 20% in each deal alongside individual investors like you. You’re an institution. Time to invest like one.
__________________________
In this solo episode of Telemedicine Talks, Phoebe Gutierrez sounds the alarm: the FTC—not the DEA—is now telehealth’s #1 threat.
Forget clinical protocols—the Federal Trade Commission is laser-focused on consumer protection, and telehealth’s cash-pay subscription model is their new favorite target. It started with Cerebral: $7 million fined—not for bad psychiatry, but for burying the cancel button, auto-renewing without consent, and piping mental-health data straight to Meta. The FTC’s three-pillar hit list?
Auto-renewal transparency (no pre-checked boxes, no fine-print surprises)
One-click cancellation (if signup is online, cancellation must be too)
Zero sneaky data sharing (visiting your addiction-medicine site is PHI the moment the pixel fires)
Phoebe translates ROSCA (Restore Online Shoppers’ Confidence Act) into plain English and hands you the exact checklist 90% of telehealth startups still ignore.
In this episode, you'll hear why “we’ll just email support” is now a violation, why “non-identifiable” data isn’t a loophole, and why 2026 will see 3–5 new FTC scalps on the telehealth wall.
Three Actionable Takeaways:
About the Show
Telemedicine Talks explores the evolving world of digital health, helping physicians navigate new opportunities, regulatory challenges, and career transitions in telemedicine.
About the Host
[00:00:00] Okay, so this episode is just me, Phoebe. Not that it matters, but Leo and I have both been traveling and doing a lot for work. So we've had limited time to connect directly. So I'm gonna be doing a couple episodes that are just me in more of like my consulting framework and we'll get back together with Leo and resume, you know, business as usual very shortly.
In today's episode of Telemedicine Talks, I am going to be talking about the agency that nobody is really watching or really even thinking about, but definitely should be. While everyone is thinking about the DEA and state boards, the FTC has really taken in the driver's seat approach to healthcare, and they're not necessarily worried about clinical protocols.
They're coming for data practices, marketing techniques, and being honest in your, [00:01:00] day-to-day of how you acquire patients. So if you're running a telehealth subscription or a membership model, or even a one-time signup with an Autorenew box, this episode is for you. Because what the FTC is doing right now isn't about medicine.
It's really about consumer protections, and they're using that lens to make examples out of digital health companies, and you definitely don't wanna be on their list. So. Here is the short version of what's happening, and you all have probably heard me talk about marketing compliance in other episodes, but I definitely want to emphasize the FTC is the one that you don't even realize is watching you.
They have started to aggressively enforce rules around subscription, billing, sharing of patient data, and just general online advertising. And as we know, lots of companies are trying [00:02:00] to acquire patients and you're wanting to figure out the coolest and different techniques of marketing. You really have to think about, you know, the rules and how you can actually do it a correct way.
So the FTC, the Federal Trade Commission is focusing on three main areas, auto renewals and cancellation workflows, refund and billing transparency, and then of course how you are acquiring patient data and whether or not you're sharing any of that with potential advertisers. And they're not just looking at bigger companies, they are looking at companies across the board.
So anybody who's doing any sort of advertising, really this is something that you have regulators looking after. The message is super simple, so if your patients cannot easily understand what they're being charged for. They can't, in a [00:03:00] simple way, cancel their subscription and they cannot, from a patient perspective or a consumer perspective, trust that their data isn't being sold for marketing, you're potentially out of compliance and could be on the FTCs list.
So I kind of wanna go back and orient everybody around like where this started. So if you can go back and think about cerebral and cerebral and done are back in the news right now because they're, leadership team just got indicted. Everything's kind of like front and center in courts today, the FTC finds cerebral $7 million for doing deceptive practices.
So it wasn't necessarily just bad medicine even. About, we all know it was bad medicine but it was for, making cancellations really difficult. You know, you would sign up for the services you would wanna cancel and you couldn't actually figure out how. They would auto-renew subscriptions without consent.
So, as we know in telemedicine, in prescribing in general, [00:04:00] there has to be a way for the provider to check in with the patient and confirm that like those prescriptions are still needed. Like that's the whole point of, why there are rules around, synchronous visits and follow up visits and so.
They were auto-renewing subscriptions, not having a clear consent, not allowing people to cancel those subscriptions. And then in addition, they were also sharing sensitive mental health data with meta and other advertisers. So they were taking that information back from their consumer base and then going back and giving it to the marketing companies and mean like, target them more, go sell them more.
It really was kind of a big wake up call, 'cause this was the first one in digital health where the FTC was like, look like this is a problem. And this was also one of the big things. I mean, we all know Cerebral had many issues along with their [00:05:00] compliance, but. Just to emphasize, this was the one I think that gave other telemedicine companies a big wake up call and going like, okay, well we're not just a healthcare provider.
We are technically an e-commerce business. We are a marketplace. We are a tech company that's dabbling in healthcare. We are going to be under the FTCs, you know, spotlight. So since then, the FTC has been really, really crystal clear that they're looking at how you're charging patients, how you're refunding patients, and how you're marketing and storing that data.
And so, you know, they really expect that your subscription model needs to follow something called rosca, which is the Restore Online Shoppers Confidence Act. Look it up if you don't know what it is, but basically that is how you are supposed to operate. As you are working in healthcare as a trusted clinical service and how you are supposed to set up your operations to comply with the various [00:06:00] rules.
Most companies don't comply with it. I will be 100% honest in my experience, but it's a good framework to think about how to do things the correct way. And again, it is one of the things that the FTC is going to look at and audit you against if they choose to, you know, look at your marketing practices.
Marketing's huge and again, I really just wanna emphasize here. You have these companies that come in and their goal is to make money. And the hardest thing in telemedicine, in digital health in business is finding that client, finding that patient, finding that person to, serve. And so you wanna get creative with how you market.
You want to get sticky and capture. You know your patients and your memberships and you want people to stay, but at the end of the day in healthcare, there are certain rules you have to follow, and Rosca is one of those ones that definitely is gonna outline exactly how you are supposed to [00:07:00] be a trusted consumer base and how you're effectively supposed to market.
So now I'm gonna jump into what the FTC actually is enforcing here, and you wanna think about it. It's really these three big buckets that they're looking at. And it is the auto renewal transparency, so patients need to clearly understand what they're signing up for. And then of course, anything that has autorenew.
From a prescription standpoint, you cannot just allow a person to continue to get prescriptions without following up with them. This isn't just, vitamin D. This isn't just something that can be, put on your renewals, like toilet paper. You really have to think you are giving.
Patient's prescriptions and there needs to be medical necessity determinations. There needs to be additional verifications. You know, you as a company, as a physician, as a clinician, need to do your due diligence to follow up. So there can [00:08:00] be no pre-checked boxes or you'll be, you know, build later fine print.
Like, there really has to be that clear of like, what constitutes as auto renewal and how all of that works. The second thing is canceling. Cancellation has to be easy. It cannot be something where a person signs up and gets locked into it. So if your patient has to email support or call during, normal business hours and actually physically talk to somebody, that's technically a violation in these, you're a digital health company, the least you can do is come up with a simple workflow where people are able to cancel or request a cancellation online.
So you wanna of course, build that into your operations as you're thinking about it. And again, from a consumer's perspective, if you've ever been on the flip side where you're like, oh crap, I signed up for this membership. I cannot get out. You need to also think that is an FTC violation because they are not allowed to do that.
And the third is [00:09:00] data privacy. And so I have said this many, many, many times, but in healthcare, collecting patient data really have to treat it in the most sensitive of ways. And what I mean by that is most companies actually are tracking the second you go to their website, they are looking at every click and everything that you are going over.
But did you know from a digital health perspective that is technically non-compliant? It actually violates meta terms and Facebook terms, so you are not able to actually track and monitor. From that perspective anymore, because let's say you own like an addiction medicine platform and you are pulling in.
Every single email of every single person that visits your website. It's safe to infer that a person that is going to your website might have, some addiction issues or might need some [00:10:00] additional mental health support, which again, if you are breached, that's a violation of, you know, sharing, A-A-P-H-I violation.
So you wanna think about those things. So you know, if you are doing any sort of data collection, it is really important of course, that you need to think about how you are securing that data. But on the flip side, if you're sharing any patient data, so if you are taking that information that you are collecting and then transmitting it to a third party, even if it's non-identifiable.
you have to have explicit patient consent that they gave you rights to market to them. And that's again, why a lot of websites or companies will have join my wait list or, you know, sign up here because you're able to collect that consent. I can tell you, I know many companies that don't do that process and actually will just collect whatever data they can so they can market to those individuals.
You [00:11:00] have to understand that you are going to be working with different teams and different, law firms. And at the end of the day, everybody is trying to make it to where, how you can either skirt rules or somehow get around this stuff so you can make more money and the FTC does not care about that.
Because at the end of the day, it's about consumer protections, patient protections, and so the questions I always say to you all is, as you're building your companies or as you're thinking about these things, would you be comfortable with your information being collected that way?
Would you be comfortable being. Sucked into a membership without a cancellation. Are you comfortable from a consumer's perspective with the practices and the protocols that you are putting out operationally? And if the answer is yes, fine, go for it. If the answer's no or you have to second guess it, you might wanna look and double down on some of those things and just make [00:12:00] sure that you are not violating anything.
So. You know, kind of to like recap and really talk a little bit about why this hits telehealth and telemedicine so hard is that most of Telehealth runs on cash pay. We know that, right? It runs on subscriptions either monthly or quarterly, or even annual, and that is totally fine.
The problem is that most of these systems were designed for revenue continuity, not consumer transparency, and in so many other markets, that's. Fine. You're running a gym membership, you're running a small wellness clinic, you're doing, salt baths, that's fine. But when you dabble into healthcare, it's a different beast.
So, most operations were built to reduce churn and to make cancellations kind of tough. And in healthcare [00:13:00] that's a huge problem. On the data side, you wanna think about so many startups that are relying on megapixels and Google tag managers or different analytics tools that track conversions.
And if any of that data is, including health information or diagnosis codes or prescription data, or even like mental health keywords, It's an FTC and a HIPAA violation, and that is like double trouble. Like I think everybody who listens to this podcast knows that HIPAA is like the biggest violation of them all, and that is again, where the FTC and HIPAA are doubling up here.
If you are concerned about your operational practices, here is how to get compliant. Just from like a general example, so like audit your signup flow. So go through your website, your app as a patient and can you see what you're buying? Can you, understand the pricing? Is it [00:14:00] transparent? Does it talk about how cancellations work?
And is the renewal schedule very obvious to you? You of course wanna simplify your cancellation, so you wanna either make it a button or some sort of process to where it's pretty seamless. Make sure your privacy policy is up to date and includes all of this information. Don't share specific data with ad platforms and don't track specific data based on just people viewing your website.
Then of course, talk to your marketing teams and your support teams so that they understand these roles. Your marketing leads needs to understand what's off limits for marketing. So from a marketing and growth perspective, they're there to get patients, to get data, to get leads, to get conversions.
They're not gonna know all these nuances from the legal and compliance side, so you wanna make sure that they understand that. You wanna make sure that your customer support team understands how to handle cancellations transparently. [00:15:00] And then of course, if you don't have a compliance officer, which nobody does, and it pains my heart.
But whoever plays that role needs to be auditing these things on a normal frequency, just to double check and make sure that you're not violating anything majorly. As I mentioned, enforcements are coming super quick. So like, here's my prediction. The FTC is gonna bring at least three to five new, telehealth cases in 2026 and every year they're becoming more and more and more. And part of that is there are new regulations that are directly aimed at telemedicine companies because historically. It just didn't exist. Things were brick and mortar, it was clinic we are in kind of a different environment and so, I think they're gonna be making examples out of companies that are building in unnecessary friction for some of these things.
Mainly [00:16:00] around, some of the, you know, patient consent, data sharing, cancellations, of course. And I'd like to say again , , this is going to be something that they're gonna be trying to set as examples so other companies don't continue the same practices. So if you're a startup, you know, this could be a total death sentence for you if you get thrown into the regulatory hurdle of, all these enforcements.
So the big takeaways for you is that, , 2026, it's not just like operational and medical, compliance that you have to think about. Like, you definitely wanna think about how you're marketing and how you are handling your sales and memberships, you know, along the way. Make your billing transparent, make your cancellations easy.
Clean up your data practices, in this world, like the FTC is not just. Asking like they are watching you. Because again, from a regulator's perspective, what we do is we are in the shadows. We are watching, we're looking at your [00:17:00] website, we're taking screenshots, we are building our case.
So when it lands, there's really nothing you can say and saying, I didn't know these rules existed, is not defensible.
So my name's Phoebe, and this is your. Quick update on where I think you should be focusing for 2026. These are my predictions on what I think is going to be heavily enforced coming in the next year, and how you can get ahead of it.
Thanks for listening.