When you use Headspace's therapy or psychiatry services, your clinical health information is protected by HIPAA, and Headspace itself is bound by HIPAA rules as a business associate of the treating providers.
This analysis describes what Headspace's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
HIPAA provides meaningful federal protections for clinical health data, including restrictions on how it can be used and shared, and gives patients specific rights including access, amendment, and accounting of disclosures that go beyond general privacy law.
Severity downgraded from high to medium and provision expanded with detailed HIPAA coverage explanation and reference to additional Care Provider privacy notices.
View full change record →Users who receive therapy, psychiatry, or clinical coaching through Headspace have their clinical health records protected under HIPAA, which restricts sharing with third parties including advertisers and provides rights to access and correct those records; however, this protection applies specifically to clinical service data and not to general wellness or behavioral data collected through other Headspace features.
How other platforms handle this
If we collect health information from these integrations (such as heart rate), we will not sell or use it for advertising or other similar purposes; we do not disclose it to third parties without your prior consent; and we will only use it for the specific purposes described in this Policy.
With your permission, we may also receive data from your mobile device's health app (like Apple HealthKit or Google Health Connect), including hours of sleep and sleep goals. However, we do not infer any health-related characteristics from this information and only process it consistent with the pur...
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
Monitoring
Headspace has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Our Services are delivered by our Care Providers. For Care Providers in the US, they are classified as covered entities under the Health Insurance Portability and Accountability Act ("HIPAA"). Headspace is subject to HIPAA as our Care Providers' business associate. Our Care Providers may provide you an additional privacy notice during enrollment which we encourage you to review.— Excerpt from Headspace's Headspace Privacy Policy
REGULATORY LANDSCAPE: This provision directly implicates HIPAA, enforced by the HHS Office for Civil Rights. Headspace's classification as a business associate requires execution of a Business Associate Agreement with each covered Care Provider, compliance with the HIPAA Privacy Rule and Security Rule, and breach notification obligations under the HIPAA Breach Notification Rule. The provision does not detail the scope of the BAA or the specific permitted and required uses of protected health information, which are material compliance details. GOVERNANCE EXPOSURE: High. The business associate relationship creates significant compliance obligations including technical and administrative safeguards, minimum necessary use standards, and breach notification timelines. The policy's acknowledgment of this structure is positive from a transparency standpoint, but compliance teams should verify that BAAs are in place with all relevant Care Providers and that data flows are mapped to distinguish PHI from non-PHI wellness data. JURISDICTION FLAGS: HIPAA applies federally in the United States to covered entities and their business associates. Users outside the US accessing clinical services may be governed by different frameworks (GDPR for EU users). California users may have additional protections under the CMIA (Confidentiality of Medical Information Act). The dual applicability of HIPAA and state medical privacy laws in California creates heightened exposure. CONTRACT AND VENDOR IMPLICATIONS: Any vendor or partner receiving PHI from Headspace must have a valid BAA in place. Procurement teams should verify that downstream technology vendors used in clinical service delivery (telehealth platforms, EHR systems, analytics tools) are covered by appropriate BAAs and that their data practices are consistent with HIPAA minimum necessary standards. COMPLIANCE CONSIDERATIONS: Compliance teams should audit the completeness of BAA coverage across all Care Provider relationships, confirm that PHI data flows are segregated from general consumer data flows, and verify that breach notification procedures meet HIPAA's 60-day notification requirement. The policy's reference to a separate HIPAA Notice of Privacy Practices should be reviewed for consistency with the main policy.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
HIPAA provides meaningful federal protections for clinical health data, including restrictions on how it can be used and shared, and gives patients specific rights including access, amendment, and accounting of disclosures that go beyond general privacy law.
Users who receive therapy, psychiatry, or clinical coaching through Headspace have their clinical health records protected under HIPAA, which restricts sharing with third parties including advertisers and provides rights to access and correct those records; however, this protection applies specifically to clinical service data and not to general wellness or behavioral data collected through other Headspace features.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Headspace.