Hims & Hers · Hims & Hers Privacy Policy · View original document ↗

Collection of Sensitive Health and Medical Information

High severity Medium confidence Explicitdocumentlanguage Unique · 0 of 352 platforms
Share 𝕏 Share in Share 🔒 PDF
Monitor governance changes for Hims & Hers Create a free account to receive the weekly governance digest and monitor one platform for governance changes.
Create free account No credit card required.
Document Record

What it is

The policy states that the platform collects health and medical information including symptoms, conditions, medications, allergies, and medical history submitted by users through intake forms, consultations, and other service interactions.

This analysis describes what Hims & Hers's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology

ConductAtlas Analysis

Why it matters (compliance & governance perspective)

This provision establishes that sensitive health information is collected directly from users as part of the core service workflow, and the data's regulatory treatment may differ depending on whether it is processed through a HIPAA-covered clinical context or through consumer-facing intake flows outside that coverage.

Interpretive note: The document does not specify with precision which data collection flows are within HIPAA-covered entity operations versus general consumer flows, creating classification ambiguity.

Consumer impact (what this means for users)

This provision establishes that health and medical details including diagnoses, medications, and symptom history are collected and retained as part of platform use. The applicable privacy protections for this data depend on whether the information is processed within HIPAA-covered clinical operations or through general platform interactions.

What you can do

⚠️ These actions may provide transparency or partial mitigation but may not fully address the underlying issue. Effectiveness varies by jurisdiction and individual circumstances.
  • Delete Your Data
    Submit a data deletion request through the privacy rights request mechanism linked in the policy. California residents may request deletion of personal information including health data collected outside HIPAA-covered workflows.

Cross-platform context

See how other platforms handle Collection of Sensitive Health and Medical Information and similar clauses.

Compare across platforms →

Monitoring

Hims & Hers has changed this document before.

Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Get Monitor Or create a free account →
▸ View Original Clause Language DOCUMENT RECORD
"
We collect information you provide to us directly, such as when you create an account, fill out a form, make a purchase, communicate with us, or otherwise use our Services. This includes: Health and medical information (e.g., information about your symptoms, conditions, medications, allergies, medical history, and other health-related information you provide in connection with our Services).

— Excerpt from Hims & Hers's Hims & Hers Privacy Policy

ConductAtlas Analysis

Institutional analysis (Compliance & governance intelligence)

1) REGULATORY LANDSCAPE: Health information collected through HIPAA-covered clinical workflows is governed by HIPAA (enforced by HHS OCR). Health-related information collected through general consumer interactions may instead be governed by CCPA/CPRA (California Privacy Protection Agency) or state consumer health data statutes such as Washington's My Health MY Data Act. The boundary between these two regulatory regimes is not uniformly specified in the document. 2) GOVERNANCE EXPOSURE: High. The simultaneous operation of HIPAA-covered clinical workflows and consumer-facing health data collection creates classification risk. If health data collected through non-clinical intake flows is not treated as PHI but is subsequently used in ways that implicate HIPAA, enforcement exposure arises. CPRA's sensitive personal information framework also applies to health data collected outside HIPAA coverage. 3) JURISDICTION FLAGS: California residents have heightened rights under CPRA with respect to sensitive personal information including health data. Washington State residents may have rights under the My Health MY Data Act. Other states with consumer health data statutes may create additional obligations depending on user location. 4) CONTRACT AND VENDOR IMPLICATIONS: Any third-party vendor receiving health information collected through covered clinical operations must be subject to a Business Associate Agreement. Vendors receiving health data through consumer-facing flows must be assessed under applicable privacy contracts and data processing agreements. 5) COMPLIANCE CONSIDERATIONS: Compliance teams should map which data collection touchpoints are within HIPAA-covered entity workflows versus consumer-facing flows, ensure appropriate notice is provided for each category, and confirm that sensitive personal information rights under CPRA (including the right to limit use) are operationally implemented for health data collected outside HIPAA coverage.

Full compliance analysis

Regulatory citations, enforcement risk, and due diligence action items.

Track 3 platforms — free Get Monitor

Free: track 3 platforms + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.

Applicable agencies

  • Hhs Ocr
    HHS OCR enforces HIPAA with respect to protected health information processed through covered clinical and telehealth operations.
    File a complaint →
  • FTC
    The FTC has jurisdiction over consumer health data practices outside HIPAA coverage and has issued guidance on health data privacy under the FTC Act.
    File a complaint →

Provision details

Document information
Document
Hims & Hers Privacy Policy
Entity
Hims & Hers
Document last updated
July 5, 2026
Tracking information
First tracked
July 5, 2026
Last verified
July 5, 2026
Record ID
CA-P-013273
Document ID
CA-D-00907
Evidence Provenance
Source URL
Wayback Machine
Content hash (SHA-256)
b8d8a749b829206ea447774fc34efb6510397ba35713344941241037d807a11c
Analysis generated
July 5, 2026 02:24 UTC
Methodology
Evidence
✓ Snapshot stored   ✓ Hash verified
Citation Record
Entity: Hims & Hers
Document: Hims & Hers Privacy Policy
Record ID: CA-P-013273
Captured: 2026-07-05 02:24:07 UTC
SHA-256: b8d8a749b829206e…
URL: https://conductatlas.com/platform/hims-hers/hims-hers-privacy-policy/collection-of-sensitive-health-and-medical-information/
Accessed: July 5, 2026
Permanent archival reference. Stable identifier suitable for legal filings, compliance documentation, and research citation.
Classification
Severity
High
Categories

Other risks in this policy

Compliance Governance Intelligence

Need to monitor specific governance provisions?

Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.

Arbitration clauses AI governance Data rights Indemnification Retention policies
Get Compliance

Or start with Monitor →

Built from archived source documents, structured governance mappings, and historical version tracking.

Frequently Asked Questions

What does Hims & Hers's Collection of Sensitive Health and Medical Information clause do?

This provision establishes that sensitive health information is collected directly from users as part of the core service workflow, and the data's regulatory treatment may differ depending on whether it is processed through a HIPAA-covered clinical context or through consumer-facing intake flows outside that coverage.

How does this clause affect you?

This provision establishes that health and medical details including diagnoses, medications, and symptom history are collected and retained as part of platform use. The applicable privacy protections for this data depend on whether the information is processed within HIPAA-covered clinical operations or through general platform interactions.

Is ConductAtlas affiliated with Hims & Hers?

No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Hims & Hers.