The policy states that the platform collects health and medical information including symptoms, conditions, medications, allergies, and medical history submitted by users through intake forms, consultations, and other service interactions.
This analysis describes what Hims & Hers's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision establishes that sensitive health information is collected directly from users as part of the core service workflow, and the data's regulatory treatment may differ depending on whether it is processed through a HIPAA-covered clinical context or through consumer-facing intake flows outside that coverage.
Interpretive note: The document does not specify with precision which data collection flows are within HIPAA-covered entity operations versus general consumer flows, creating classification ambiguity.
This provision establishes that health and medical details including diagnoses, medications, and symptom history are collected and retained as part of platform use. The applicable privacy protections for this data depend on whether the information is processed within HIPAA-covered clinical operations or through general platform interactions.
Cross-platform context
See how other platforms handle Collection of Sensitive Health and Medical Information and similar clauses.
Compare across platforms →Monitoring
Hims & Hers has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"We collect information you provide to us directly, such as when you create an account, fill out a form, make a purchase, communicate with us, or otherwise use our Services. This includes: Health and medical information (e.g., information about your symptoms, conditions, medications, allergies, medical history, and other health-related information you provide in connection with our Services).— Excerpt from Hims & Hers's Hims & Hers Privacy Policy
1) REGULATORY LANDSCAPE: Health information collected through HIPAA-covered clinical workflows is governed by HIPAA (enforced by HHS OCR). Health-related information collected through general consumer interactions may instead be governed by CCPA/CPRA (California Privacy Protection Agency) or state consumer health data statutes such as Washington's My Health MY Data Act. The boundary between these two regulatory regimes is not uniformly specified in the document. 2) GOVERNANCE EXPOSURE: High. The simultaneous operation of HIPAA-covered clinical workflows and consumer-facing health data collection creates classification risk. If health data collected through non-clinical intake flows is not treated as PHI but is subsequently used in ways that implicate HIPAA, enforcement exposure arises. CPRA's sensitive personal information framework also applies to health data collected outside HIPAA coverage. 3) JURISDICTION FLAGS: California residents have heightened rights under CPRA with respect to sensitive personal information including health data. Washington State residents may have rights under the My Health MY Data Act. Other states with consumer health data statutes may create additional obligations depending on user location. 4) CONTRACT AND VENDOR IMPLICATIONS: Any third-party vendor receiving health information collected through covered clinical operations must be subject to a Business Associate Agreement. Vendors receiving health data through consumer-facing flows must be assessed under applicable privacy contracts and data processing agreements. 5) COMPLIANCE CONSIDERATIONS: Compliance teams should map which data collection touchpoints are within HIPAA-covered entity workflows versus consumer-facing flows, ensure appropriate notice is provided for each category, and confirm that sensitive personal information rights under CPRA (including the right to limit use) are operationally implemented for health data collected outside HIPAA coverage.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 3 platforms + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision establishes that sensitive health information is collected directly from users as part of the core service workflow, and the data's regulatory treatment may differ depending on whether it is processed through a HIPAA-covered clinical context or through consumer-facing intake flows outside that coverage.
This provision establishes that health and medical details including diagnoses, medications, and symptom history are collected and retained as part of platform use. The applicable privacy protections for this data depend on whether the information is processed within HIPAA-covered clinical operations or through general platform interactions.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Hims & Hers.