Hims & Hers · Hims & Hers Privacy Policy · View original document ↗

Separate HIPAA Notice of Privacy Practices for Clinical Data

High severity Medium confidence Explicitdocumentlanguage Unique · 0 of 352 platforms
Share 𝕏 Share in Share 🔒 PDF
Monitor governance changes for Hims & Hers Create a free account to receive the weekly governance digest and monitor one platform for governance changes.
Create free account No credit card required.
Document Record

What it is

The policy states that health information processed through clinical service workflows may be classified as HIPAA-protected health information governed by a separate Notice of Privacy Practices, while non-clinical consumer data remains subject to this general privacy policy.

This analysis describes what Hims & Hers's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology

ConductAtlas Analysis

Why it matters (compliance & governance perspective)

This provision establishes a dual-document governance structure in which clinical and non-clinical data are subject to different privacy frameworks, and users receiving both clinical and consumer services from Hims & Hers operate under overlapping but distinct sets of data rights and protections.

Interpretive note: The document does not specify the precise operational boundary between HIPAA-covered and non-HIPAA-covered data collection touchpoints, which may create ambiguity for users who interact with both clinical and consumer services.

Consumer impact (what this means for users)

This provision establishes that users receiving telehealth or clinical services have their health information governed by a separate HIPAA Notice of Privacy Practices, while general consumer data collected through platform interactions is governed by this privacy policy. The applicable data rights, including those for access, amendment, and disclosure restrictions, differ across these two frameworks.

Cross-platform context

See how other platforms handle Separate HIPAA Notice of Privacy Practices for Clinical Data and similar clauses.

Compare across platforms →

Monitoring

Hims & Hers has changed this document before.

Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Get Monitor Or create a free account →
▸ View Original Clause Language DOCUMENT RECORD
"
If you receive clinical services through our platform, your health information may be considered protected health information (PHI) under HIPAA. In that case, our Notice of Privacy Practices governs the use and disclosure of your PHI, and the terms of this Privacy Policy apply to non-PHI information we collect about you.

— Excerpt from Hims & Hers's Hims & Hers Privacy Policy

ConductAtlas Analysis

Institutional analysis (Compliance & governance intelligence)

1) REGULATORY LANDSCAPE: HIPAA (enforced by HHS OCR) governs PHI processed by covered entities and their business associates. The CCPA/CPRA provides separate but potentially overlapping rights for consumer health data outside HIPAA coverage. The interaction between HIPAA's preemption provisions and state consumer privacy laws creates jurisdictional complexity, particularly in California where CPRA's carve-out for HIPAA-regulated entities may not extend to all data collected by a dual-purpose platform. 2) GOVERNANCE EXPOSURE: High. Maintaining two parallel privacy governance frameworks for the same user population creates operational risk. If PHI inadvertently flows into non-clinical data systems, HIPAA protections may not apply, and the user may not be aware. Conversely, if consumer data is treated as PHI when it is not, unnecessary HIPAA compliance obligations may be assumed. 3) JURISDICTION FLAGS: California's CPRA carve-out for HIPAA-covered information does not necessarily extend to all health data collected by a company that also operates as a covered entity. Washington My Health MY Data Act does not include a full HIPAA carve-out, creating additional obligations for health data collected from Washington residents regardless of HIPAA coverage status. 4) CONTRACT AND VENDOR IMPLICATIONS: Vendors receiving data from the platform must be assessed separately for HIPAA Business Associate Agreement requirements (for PHI flows) and standard data processing agreement requirements (for consumer data flows). A vendor receiving both categories of data requires dual contractual coverage. 5) COMPLIANCE CONSIDERATIONS: Compliance teams should ensure the HIPAA Notice of Privacy Practices is provided at or before the point of clinical service initiation, that data flow mapping clearly distinguishes PHI from consumer personal information, and that system architecture enforces separation between clinical and non-clinical data environments.

Full compliance analysis

Regulatory citations, enforcement risk, and due diligence action items.

Track 3 platforms — free Get Monitor

Free: track 3 platforms + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.

Applicable agencies

  • Hhs Ocr
    HHS OCR enforces HIPAA Notice of Privacy Practices requirements and investigates complaints related to improper use or disclosure of protected health information.
    File a complaint →

Provision details

Document information
Document
Hims & Hers Privacy Policy
Entity
Hims & Hers
Document last updated
July 5, 2026
Tracking information
First tracked
July 5, 2026
Last verified
July 5, 2026
Record ID
CA-P-013275
Document ID
CA-D-00907
Evidence Provenance
Source URL
Wayback Machine
Content hash (SHA-256)
b8d8a749b829206ea447774fc34efb6510397ba35713344941241037d807a11c
Analysis generated
July 5, 2026 02:24 UTC
Methodology
Evidence
✓ Snapshot stored   ✓ Hash verified
Citation Record
Entity: Hims & Hers
Document: Hims & Hers Privacy Policy
Record ID: CA-P-013275
Captured: 2026-07-05 02:24:07 UTC
SHA-256: b8d8a749b829206e…
URL: https://conductatlas.com/platform/hims-hers/hims-hers-privacy-policy/separate-hipaa-notice-of-privacy-practices-for-clinical-data/
Accessed: July 5, 2026
Permanent archival reference. Stable identifier suitable for legal filings, compliance documentation, and research citation.
Classification
Severity
High
Categories

Other risks in this policy

Compliance Governance Intelligence

Need to monitor specific governance provisions?

Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.

Arbitration clauses AI governance Data rights Indemnification Retention policies
Get Compliance

Or start with Monitor →

Built from archived source documents, structured governance mappings, and historical version tracking.

Frequently Asked Questions

What does Hims & Hers's Separate HIPAA Notice of Privacy Practices for Clinical Data clause do?

This provision establishes a dual-document governance structure in which clinical and non-clinical data are subject to different privacy frameworks, and users receiving both clinical and consumer services from Hims & Hers operate under overlapping but distinct sets of data rights and protections.

How does this clause affect you?

This provision establishes that users receiving telehealth or clinical services have their health information governed by a separate HIPAA Notice of Privacy Practices, while general consumer data collected through platform interactions is governed by this privacy policy. The applicable data rights, including those for access, amendment, and disclosure restrictions, differ across these two frameworks.

Is ConductAtlas affiliated with Hims & Hers?

No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Hims & Hers.