Headspace acts as a 'business associate' under HIPAA for its Care Providers (therapists, psychiatrists), meaning your health information from therapy or psychiatry sessions is subject to federal health privacy rules. Your Care Provider may give you a separate HIPAA Notice of Privacy Practices.
HIPAA provides important federal protections for your health data collected during clinical services, and knowing Headspace is covered means you have specific federal rights over that data.
Headspace's designation as a HIPAA business associate to its affiliated Care Provider covered entities creates direct compliance obligations under 45 CFR Parts 160 and 164, including breach notification duties and restrictions on PHI use and disclosure. Legal teams should assess the BAA framework and whether data flows to advertising/analytics vendors are consistent with HIPAA's minimum necessary standard.
Compliance intelligence locked
Regulatory citations, enforcement risk, and due diligence action items.
Watcher: regulatory citations. Professional: full compliance memo.
Headspace collects highly sensitive personal data including mental health information, therapy session details, and behavioral data from your use of their app, and may share this with advertising partners and third-party service providers. Users in therapy or psychiatry programs are subject to HIPAA protections, but general app users should be aware their meditation habits and wellness data may be used for targeted advertising. You can request deletion of your personal data or opt out of certain data sharing by visiting Headspace's privacy rights portal or emailing privacy@headspace.com.