Gusto · Gusto Privacy Policy

Health Benefits Data Processing

High severity
Share 𝕏 Share in Share 🔒 PDF

What it is

When your employer uses Gusto to manage health benefits, Gusto collects your health insurance choices, dependent information, and related health data as part of benefits administration.

Clause Stability Highly Volatile

1
Change
1
Month Monitored
Apr 28, 2026
First Seen
Apr 28, 2026
Last Seen
This clause has changed once in 1 month of monitoring.

Change history

modified Apr 29, 2026

Previous version had no excerpt; current version adds specific examples of health data types collected (insurance elections, dependent information, health plan data).

View full change record →

Consumer impact (what this means for users)

Employees whose health benefits are managed through Gusto have their health insurance elections and potentially their dependents' information held by Gusto, which may or may not be subject to HIPAA protections depending on Gusto's contractual role.

Cross-platform context

See how other platforms handle Health Benefits Data Processing and similar clauses.

Compare across platforms →
Need full compliance memos? See Professional →

Why it matters (compliance & risk perspective)

Health benefits data is among the most sensitive personal information, and depending on Gusto's role, it may trigger HIPAA obligations that provide stronger protections than general privacy law.

View original clause language
Gusto collects and processes health benefits information in connection with its benefits administration services, including information about employees' health insurance elections, dependent information, and related health plan data.

Institutional analysis (Compliance & legal intelligence)

(1) REGULATORY FRAMEWORK: HIPAA (45 CFR Parts 160, 164) applies if Gusto qualifies as a Business Associate under 45 CFR §160.103 by handling Protected Health Information (PHI) on behalf of a covered employer health plan. CPRA classifies health information as 'sensitive personal information' (§1798.140(ae)(1)) requiring enhanced disclosure. ADA (42 U.S.C. §12112) and GINA (29 U.S.C. §1182) restrict use of health and genetic information in employment contexts. HHS OCR enforces HIPAA; EEOC enforces ADA/GINA. (2)

🔒

Compliance intelligence locked

Regulatory citations, enforcement risk, and due diligence action items.

Watcher $9.99/mo Professional $149/mo

Watcher: regulatory citations. Professional: full compliance memo.

Applicable agencies

  • Hhs Ocr
    HHS Office for Civil Rights enforces HIPAA with respect to health information handled by business associates like Gusto in the context of employer health benefit administration.
    File a complaint →
  • FTC
    The FTC's Health Breach Notification Rule and FTC Act Section 5 apply to health data handled by non-HIPAA-covered entities, providing a regulatory backstop if HIPAA does not apply.
    File a complaint →

Provision details

Document information
Document
Gusto Privacy Policy
Entity
Gusto
Document last updated
April 29, 2026
Tracking information
First tracked
April 28, 2026
Last verified
April 28, 2026
Record ID
CA-P-003673
Document ID
CA-D-00294
Evidence Provenance
Source URL
https://gusto.com/about/privacy
Wayback Machine
View archived versions →
SHA-256
d6e7cfbbde265012f8586fe6121a9e92a0ebc041ed4ea1611b6f921b07b3be2a
Verified
✓ Snapshot stored   ✓ Change verified
How to Cite
ConductAtlas Policy Archive
Entity: Gusto | Document: Gusto Privacy Policy | Record: CA-P-003673
Captured: 2026-04-28 04:53:53 UTC | SHA-256: d6e7cfbbde265012…
URL: https://conductatlas.com/platform/gusto/gusto-privacy-policy/health-benefits-data-processing/
Accessed: May 2, 2026
Classification
Severity
High
Categories
Unknown

Other provisions in this document