Is Hims and Hers HIPAA Compliant? Privacy and Security Explained

Overview of HIPAA Compliance

What “HIPAA compliant” means in the Hims & Hers model

HIPAA applies to covered entities (like health care providers and pharmacies) and to any business associate that handles protected health information for them. In Hims & Hers’ model, the affiliated medical groups and dispensing pharmacies are HIPAA covered entities; Hims & Hers itself says it is generally not a covered entity, though it may act as a business associate in certain relationships. That means some data you share on the platform is governed by HIPAA, while other account or shopping data may not be. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/covered-entities/index.html?hl=en&utm_source=openai))

Because HIPAA only protects “protected health information” (PHI) held by covered entities or business associates, communications or site interactions that are not part of treatment, payment, or health care operations may fall under consumer privacy laws instead (for example, state laws like the CCPA/CPRA), not HIPAA. Hims & Hers’ filings acknowledge this mixed regulatory landscape and note they maintain safeguards regardless of classification. ([hims.com](https://www.hims.com/privacy-policy))

Role of Covered Entities and Business Associates

Who does what—and why it matters to you

The affiliated Medical Groups and Pharmacies deliver diagnosis, prescribing, and dispensing; they are covered entities bound by HIPAA’s privacy, security, and breach notification rules. Hims & Hers may provide services to those entities (e.g., technology, fulfillment coordination) under business associate agreements that require HIPAA-aligned protections when PHI is involved. This division explains why some parts of your Hims & Hers experience are clearly HIPAA-governed while other parts are governed by consumer privacy policies. ([hims.com](https://www.hims.com/notice-of-privacy-practices?utm_source=openai))

HIPAA requires covered entities to have written business associate agreements that spell out permitted uses and disclosures and mandate appropriate safeguards. If an entity is neither a covered entity nor a business associate as defined, HIPAA does not apply to that entity. Understanding these roles helps you know which protections attach to which interactions on the platform. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/covered-entities/index.html?hl=en&utm_source=openai))

Data Encryption and Security Practices

How security is structured today

Hims & Hers reports that its cybersecurity program aligns to the NIST Cybersecurity Framework, with continuous vulnerability scanning, periodic penetration testing, vendor risk reviews, a Security Operations Center (SOC) and SIEM monitoring, independent third‑party risk assessments, and regular workforce phishing-awareness training. These controls aim to preserve the confidentiality, integrity, and availability of sensitive data across the environment. ([sec.gov](https://www.sec.gov/Archives/edgar/data/1773751/000177375126000022/hims-20251231.htm))

Where encryption fits in—and what “standards” look like

Under the HIPAA Security Rule, encryption is an “addressable” safeguard—entities must implement it when reasonable and appropriate or document a suitable alternative. HHS guidance recognizes NIST‑consistent encryption (for example, storage per SP 800‑111; transport via modern TLS per SP 800‑52; FIPS 140‑validated modules) as a safe harbor that renders ePHI “unusable, unreadable, or indecipherable” if a device or system is compromised. For you, that means well-implemented encryption meaningfully limits breach risk and, in some scenarios, breach-notification duties. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/faq/2001/is-the-use-of-encryption-mandatory-in-the-security-rule/index.html?utm_source=openai))

Incident of February 2026 Cyberattack

What happened and when

Hims & Hers detected suspicious activity on February 5, 2026, involving a third‑party customer service platform. An investigation found that between February 4 and February 7, 2026, certain customer support tickets were accessed without authorization. The company described the intrusion as a social engineering attack and filed sample notices with regulators. ([oag.ca.gov](https://oag.ca.gov/system/files/Hims%20%26%20Hers%2C%20Inc.%20-%20Notice%20of%20Data%20Event%20-%20CA_0.pdf))

What data was involved—and what was not

The company says medical records and communications with health care providers on the platform were not affected. Stolen data primarily included customer names and contact details contained in support tickets; for users who contacted support between mid‑February 2025 and early February 2026, ticket content could have included the category of treatment and other information shared with customer service. ([oag.ca.gov](https://oag.ca.gov/system/files/Hims%20%26%20Hers%2C%20Inc.%20-%20Notice%20of%20Data%20Event%20-%20CA_0.pdf))

Notifications and remedies

Hims & Hers submitted a sample breach notice to the California Attorney General on April 2, 2026, and offered 12 months of complimentary credit monitoring and identity restoration. State law requires submitting a sample notice to the CA Attorney General when a breach affects 500 or more California residents; separate HIPAA breach notification obligations apply to covered entities or business associates when unsecured PHI is involved. ([oag.ca.gov](https://oag.ca.gov/system/files/Hims%20%26%20Hers%2C%20Inc.%20-%20Notice%20of%20Data%20Event%20-%20CA_0.pdf))

Privacy Policy and Customer Data Handling

How your information is classified and used

Hims & Hers’ Privacy Policy explains that it is generally not a HIPAA covered entity and that only certain components of the service—such as care delivered by the Medical Groups or dispensing by Pharmacies—are subject to HIPAA. Information you provide for account creation, browsing, payments, and general support may be treated as personal data under consumer privacy laws rather than PHI under HIPAA. The policy outlines broad data categories collected (e.g., identifiers, usage, geolocation) and routes health‑related data to the Medical Groups when used for treatment. ([hims.com](https://www.hims.com/privacy-policy))

The policy also notes that, in some jurisdictions, certain data practices may be deemed a “sale” or “sharing” of sensitive personal data under state privacy laws, with corresponding opt‑out and rights mechanisms. For HIPAA‑covered care, you receive a separate Notice of Privacy Practices from the Medical Groups that governs PHI uses and disclosures. ([hims.com](https://www.hims.com/privacy-policy))

Impact on Medical Records and Communications

What the 2026 incident means for your clinical data

Based on company statements and regulatory filings, the 2026 support‑system breach did not access the electronic medical record or in‑platform communications between you and your provider. Still, customer support tickets can contain sensitive context (for example, treatment categories), so affected users should consider the exposure akin to personal data plus limited health‑related details rather than a full medical chart disclosure. ([cybersecuritydive.com](https://www.cybersecuritydive.com/news/hims-hers-data-stolen-social-engineering/816707/?utm_source=openai))

If PHI within a covered entity’s record system is encrypted consistent with HHS/NIST guidance, HIPAA’s breach-notification “safe harbor” can apply. When non‑HIPAA personal data is involved, state breach laws govern notifications, which is why you may see both HIPAA notices (from covered entities) and state AG notices (from consumer‑facing platforms) in different situations. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html?utm_source=openai))

Future Data Protection Measures

What you can expect going forward

Following the incident, Hims & Hers stated it was reviewing policies and procedures, notified federal law enforcement, and began regulator notifications as required. Its annual report describes a maturing, NIST‑aligned program with third‑party risk reviews, SOC/SIEM monitoring, and regular workforce training—controls that, when sustained and expanded (e.g., phishing‑resistant MFA, least‑privilege vendor access, and rigorous data minimization), reduce the likelihood and impact of similar events. ([oag.ca.gov](https://oag.ca.gov/system/files/Hims%20%26%20Hers%2C%20Inc.%20-%20Notice%20of%20Data%20Event%20-%20CA_0.pdf))

For your part, enable multifactor authentication, use unique passwords, and keep support exchanges concise, avoiding unnecessary sensitive details. If you received a notice, take advantage of the credit monitoring offered and remain vigilant for targeted phishing that references your past support interactions. ([oag.ca.gov](https://oag.ca.gov/system/files/Hims%20%26%20Hers%2C%20Inc.%20-%20Notice%20of%20Data%20Event%20-%20CA_0.pdf))

FAQs.

What parts of Hims and Hers are subject to HIPAA?

The affiliated Medical Groups and Pharmacies are covered entities under HIPAA, so PHI handled for your diagnosis, prescribing, and dispensing is governed by HIPAA. Hims & Hers itself says it is generally not a covered entity, but in some relationships it may act as a business associate and apply HIPAA provisions to the PHI it handles in that role. ([hims.com](https://www.hims.com/notice-of-privacy-practices?utm_source=openai))

How does Hims and Hers protect personal data?

Hims & Hers reports alignment to the NIST Cybersecurity Framework, continuous vulnerability management, pen testing, SOC/SIEM monitoring, vendor risk reviews, independent assessments, and workforce security training. For HIPAA‑covered data, encryption and other technical safeguards are implemented consistent with the Security Rule’s risk‑based approach and HHS/NIST guidance. ([sec.gov](https://www.sec.gov/Archives/edgar/data/1773751/000177375126000022/hims-20251231.htm))

Was medical information compromised in the 2026 breach?

No. The company states the electronic medical record and provider communications were not accessed. The incident involved a third‑party customer service platform; exposed data primarily included contact information, and in some cases details present in support tickets (such as category of treatment) for users who interacted with support during the affected period. ([oag.ca.gov](https://oag.ca.gov/system/files/Hims%20%26%20Hers%2C%20Inc.%20-%20Notice%20of%20Data%20Event%20-%20CA_0.pdf))

What steps does Hims and Hers take to ensure ongoing HIPAA compliance?

HIPAA‑covered components provide a Notice of Privacy Practices and operate under required privacy, security, and breach-notification provisions; when Hims & Hers functions as a business associate, it does so under written agreements that impose HIPAA obligations. Programmatically, the company emphasizes NIST‑aligned controls, vendor oversight, monitoring, and periodic assessments to keep safeguards effective as services evolve. ([hims.com](https://www.hims.com/notice-of-privacy-practices?utm_source=openai))