HIPAA / Business Associate Privacy Statement
Effective Date: 2022-07-07
Who We Are and How HIPAA Applies to Wave
As a Business Associate under the Health Insurance Portability and Accountability Act (HIPAA), Wave Life, Inc. (“Wave,” “we,” “us,” or “our”) is contractually obligated to safeguard Protected Health Information (PHI) in accordance with the HIPAA Privacy Rule and Security Rule. We maintain administrative, physical, and technical safeguards to protect any PHI we access or process on behalf of our Covered Entity clients.
Please note that Wave is not itself a Covered Entity as defined under HIPAA (45 CFR §160.103). Our obligations arise through Business Associate Agreements (BAAs) executed with our Covered Entity partners, and our compliance efforts are scoped accordingly.
Changes to this Statement
We may change the terms of this Statement, consistent with our obligations under HIPAA and our BAAs. We will post the current version and make it available on request by contacting our Privacy Officer at privacy@wavelife.io.
How We May Use or Disclose PHI
We use and disclose PHI only as permitted by our Business Associate Agreements, as directed by the Covered Entity partner on whose behalf we hold the information, and as permitted or required by law. We do not use or disclose PHI for purposes outside the scope of those agreements.
Providing the Wave service
Wave offers a mental health platform that connects members with mental health coaches and digital tools to help them build self-awareness, clarify their values, and cope with stress. Where relevant, and as permitted under our agreements, we use and disclose PHI to provide these coaching services and tools.
Care Operations
We may use and disclose PHI for operations that support the service, such as quality checks on coaching sessions, internal audits, arranging for legal services, training and improving Wave’s artificial intelligence models we use to support and train coaches, and developing our coaching approaches — in each case as permitted by our agreements and applicable law.
Payment
We may use and disclose PHI to support billing and payment for the service, for example to confirm enrollment or eligibility with a partner, as permitted by our agreements.
Business Associates and Subcontractors
Where we engage subcontractors that handle PHI on our behalf, we require them by written agreement to safeguard PHI and use it only as permitted, consistent with our own obligations.
As Required by Law; Threats to Health or Safety; Legal Process
We may use and disclose PHI as required by law; to prevent or lessen a serious threat to health or safety; to law enforcement as permitted by law; and to comply with a court or administrative order, subpoena, or discovery request, with efforts made to notify or obtain a protective order where required — in each case consistent with our agreements and HIPAA.
Additional Restrictions on Use and Disclosure
Certain federal and state laws may require special privacy protections that restrict the use and disclosure of certain health information, including highly confidential information about you. Such laws may protect the following types of information:
Alcohol and Substance Abuse
Biometric Information
Child or Adult Abuse or Neglect, including Sexual Assault
Communicable Diseases
Genetic Information
HIV/AIDS
Mental Health
Minors’ Information
Prescriptions
Reproductive Health
Sexually Transmitted Diseases
If a use or disclosure of health information described above in this notice is prohibited or materially limited by other laws that apply to us, it is our intent to meet the requirements of the more stringent law.
Minimum Necessary
When we use, disclose, or request PHI, we make reasonable efforts to limit it to the minimum necessary to accomplish the intended purpose, to the extent required by law and our agreements.
Individual Rights Complaints and Questions
If you believe your privacy rights have been violated, you may contact us using the information below. Depending on the circumstances, complaints may also be directed to the Covered Entity partner or to the U.S. Department of Health and Human Services, Office for Civil Rights. We will not retaliate against anyone for filing a complaint.
Contact Us
To contact Wave about this Statement or our privacy practices, email privacy@wavelife.io or write to us at:
Wave Life, Inc.
Attention: Privacy Officer
700 El Camino Real, Suite 120
Menlo Park, CA 94025, United States
Acknowledgment
We provide this Statement so that you understand how Wave safeguards PHI as a Business Associate and the scope of our HIPAA obligations. A copy is available on request.

