Podcast
Nov 13, 2025
Roetzel HealthLaw HotSpot: Protect Your Practice Online: Terms of Use and Privacy Policies Explained
In this episode of the HealthLaw HotSpot, host Ericka Adler is joined by shareholder and intellectual property attorney Scott Brown to discuss a topic every health care business with a website or app needs to understand: Terms of Use and Privacy Policies. Ericka and Scott break down what these documents are, why they matter and how they differ from HIPAA requirements. They also cover common mistakes, legal risks, and the simple steps practices can take to protect themselves and their patients online.
To watch the episode on YouTube, click here. To listen, download the episode on Apple Podcasts or click here.
Transcript
Ericka Adler:
Hi, everyone. Welcome to the Health Law Hotspot. I'm Ericka Adler, shareholder and leader of the health care practice at Roetzel & Andress. Today, I'm joined by Scott Brown, who's a shareholder and an intellectual property attorney at Roetzel & Andress, and we're going to be talking about something we've never talked about before, but which is a question that actually gets asked quite often what are terms of use? When do you need them? What do they include? And what are we even talking about? I'm going to turn things over to Scott, who's going to explain what we mean when we talk about terms of use, and how that might also be accompanied by a privacy policy which is something different from our traditional HIPAA topics.
Scott Brown:
Thanks for having me. So, I typically lump terms of use and privacy policies together. They go hand in hand. If you have one, you probably always need the other though they are different. These are most often used for websites or mobile apps. When you’ve got a website or app, you need terms of use and a privacy policy to protect yourself and your users’ information. The terms of use essentially act as a contract between you and your users or customers. It says the material on your website belongs to you, and that users can only use it under your terms, usually with broad disclaimers like “as is” and “not medical advice.” That’s how you protect both your content and yourself from liability. The privacy policy, on the other hand, is your promise to users about what you’ll do with their information. It’s not exactly a contract – it’s a disclosure. You’re telling users how you collect, store, and use their information. There are different laws worldwide that affect this. In the EU, there’s the GDPR, which is stricter than U.S. laws. In the U.S., California’s laws, like the CCPA, are the most influential. Even if your business isn’t in California, if a California resident visits your site, you need to comply. Your privacy policy should cover how you collect information, such as names, email addresses, or communications, and what you do with it. For example, using it for analytics, advertising, or data transfers. Many businesses underestimate this and just copy policies from other sites. But it’s critical to tailor your policy to what you actually do and to check the privacy policies of any vendors you use. Lawyers can usually start from templates and adapt them to your operations. Ideally, you draft them once and don’t have to update them often because when you do, you must notify users. That’s why companies like Instagram or Facebook email you saying their terms have changed. They’re legally required too. You can notify users via email or a pop-up. The goal is to minimize how often you need to update.
Ericka Adler:
So, when someone goes on your website and sees a privacy policy link, do they have to acknowledge it, or is just posting it enough?
Scott Brown:
Good question. This was debated heavily back in the 1990s with software licenses, but it’s now settled that a “click-through” agreement, where users click to agree, is enforceable. However, simply visiting a website can also bind users to your terms, as long as your terms of use clearly state that using the site constitutes acceptance. If you’re collecting data, processing registrations, or taking payments, it’s better to include an explicit “click to agree” checkbox.
Ericka Adler:
Right, I’ve also noticed those pop-ups about cookies. Are those related to the same thing?
Scott Brown:
Not really. The “accept cookies” pop-ups mostly come from European law under the GDPR. In the U.S., they’re not required, though many businesses use them anyway. They’re more of a European compliance feature than an American one.
Ericka Adler:
Got it. And just to clarify, a privacy policy isn’t the same thing as a business associate agreement under HIPAA, correct?
Scott Brown:
Exactly. They’re totally different. A HIPAA business associate agreement applies to protected health information (PHI) that a covered entity shares with vendors. A privacy policy applies to information a website collects from users who might not even be patients yet. So, if someone visits a health care website, enters their name and medical interests, but hasn’t become a patient, that’s not PHI under HIPAA. You still need a privacy policy to disclose what happens to that data, but your HIPAA forms don’t cover it.
Ericka Adler:
Right. And have you seen cases where a practice gets in trouble for not having terms of use or a privacy policy?
Scott Brown:
The bigger risks usually come from privacy policies. For example, if you say you’ll never share user data but then do, or if you promise to delete data on request and fail to, that’s when you see lawsuits or regulatory action. The danger often comes from copying someone else’s policy without understanding it or following it. You can easily end up out of compliance with your own terms.
Ericka Adler:
So, for anyone listening if you have a website, a mobile app, a telemedicine platform, or you’re selling health care products you need a terms of use and a privacy policy. These are separate from your HIPAA documents and protect you in different ways.
Scott Brown:
Exactly. And compared to other health care legal documents, these are pretty painless to create. Once they’re drafted, you can usually “set them and forget them” unless your business changes significantly.
Ericka Adler:
Perfect. Well, thanks, Scott. This is one of those administrative steps that’s easy to overlook but essential for compliance and risk reduction.
Scott Brown:
Thank you.
Ericka Adler:
And thanks to our listeners for joining us on the Health Law Hotspot. You can find more episodes at ralaw.com.
