When you use Headspace's therapy or psychiatry services, your clinical health information is protected by HIPAA, and Headspace itself is bound by HIPAA rules as a business associate of the treating providers.
This analysis describes what Headspace's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
HIPAA provides meaningful federal protections for clinical health data, including restrictions on how it can be used and shared, and gives patients specific rights including access, amendment, and accounting of disclosures that go beyond general privacy law.
Users who receive therapy, psychiatry, or clinical coaching through Headspace have their clinical health records protected under HIPAA, which restricts sharing with third parties including advertisers and provides rights to access and correct those records; however, this protection applies specifically to clinical service data and not to general wellness or behavioral data collected through other Headspace features.
How other platforms handle this
We create aggregated or anonymized datasets or statistics based on usage and operational data related to your use of the Mistral AI Products (such as product usage events, performance metrics, billing metrics, and Feedback) (collectively, "Usage Data"). We may use the Usage Data for our business pur...
Customer grants Snowflake the right to host, copy, transmit, display, and otherwise use Customer Data and Customer Applications as reasonably necessary to provide the Services in accordance with this Agreement.
As between the parties, Luma owns and retains all right, title, and interest, including all related intellectual property and proprietary rights, in and to the Aggregated Data and Usage Data (including any improvements, modifications, and enhancements thereto), the know-how and analytical results ge...
Monitoring
Headspace has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Our Services are delivered by our Care Providers. For Care Providers in the US, they are classified as covered entities under the Health Insurance Portability and Accountability Act ("HIPAA"). Headspace is subject to HIPAA as our Care Providers' business associate. Our Care Providers may provide you an additional privacy notice during enrollment which we encourage you to review.— Excerpt from Headspace's Headspace Privacy Policy
REGULATORY LANDSCAPE: This provision directly implicates HIPAA, enforced by the HHS Office for Civil Rights. Headspace's classification as a business associate requires execution of a Business Associate Agreement with each covered Care Provider, compliance with the HIPAA Privacy Rule and Security Rule, and breach notification obligations under the HIPAA Breach Notification Rule. The provision does not detail the scope of the BAA or the specific permitted and required uses of protected health information, which are material compliance details. GOVERNANCE EXPOSURE: High. The business associate relationship creates significant compliance obligations including technical and administrative safeguards, minimum necessary use standards, and breach notification timelines. The policy's acknowledgment of this structure is positive from a transparency standpoint, but compliance teams should verify that BAAs are in place with all relevant Care Providers and that data flows are mapped to distinguish PHI from non-PHI wellness data. JURISDICTION FLAGS: HIPAA applies federally in the United States to covered entities and their business associates. Users outside the US accessing clinical services may be governed by different frameworks (GDPR for EU users). California users may have additional protections under the CMIA (Confidentiality of Medical Information Act). The dual applicability of HIPAA and state medical privacy laws in California creates heightened exposure. CONTRACT AND VENDOR IMPLICATIONS: Any vendor or partner receiving PHI from Headspace must have a valid BAA in place. Procurement teams should verify that downstream technology vendors used in clinical service delivery (telehealth platforms, EHR systems, analytics tools) are covered by appropriate BAAs and that their data practices are consistent with HIPAA minimum necessary standards. COMPLIANCE CONSIDERATIONS: Compliance teams should audit the completeness of BAA coverage across all Care Provider relationships, confirm that PHI data flows are segregated from general consumer data flows, and verify that breach notification procedures meet HIPAA's 60-day notification requirement. The policy's reference to a separate HIPAA Notice of Privacy Practices should be reviewed for consistency with the main policy.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
HIPAA provides meaningful federal protections for clinical health data, including restrictions on how it can be used and shared, and gives patients specific rights including access, amendment, and accounting of disclosures that go beyond general privacy law.
Users who receive therapy, psychiatry, or clinical coaching through Headspace have their clinical health records protected under HIPAA, which restricts sharing with third parties including advertisers and provides rights to access and correct those records; however, this protection applies specifically to clinical service data and not to general wellness or behavioral data collected through other Headspace features.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Headspace.