HIPAA / Business Associate Privacy Statement

Effective Date: 2022-07-07


Who We Are and How HIPAA Applies to Wave

As a Business Associate under the Health Insurance Portability and Accountability Act (HIPAA), Wave Life, Inc. (“Wave,” “we,” “us,” or “our”) is contractually obligated to safeguard Protected Health Information (PHI) in accordance with the HIPAA Privacy Rule and Security Rule. We maintain administrative, physical, and technical safeguards to protect any PHI we access or process on behalf of our Covered Entity clients.

Please note that Wave is not itself a Covered Entity as defined under HIPAA (45 CFR §160.103). Our obligations arise through Business Associate Agreements (BAAs) executed with our Covered Entity partners, and our compliance efforts are scoped accordingly.

Changes to this Statement

We may change the terms of this Statement, consistent with our obligations under HIPAA and our BAAs. We will post the current version and make it available on request by contacting our Privacy Officer at privacy@wavelife.io.

How We May Use or Disclose PHI

We use and disclose PHI only as permitted by our Business Associate Agreements, as directed by the Covered Entity partner on whose behalf we hold the information, and as permitted or required by law. We do not use or disclose PHI for purposes outside the scope of those agreements.

Providing the Wave service

Wave offers a mental health platform that connects members with mental health coaches and digital tools to help them build self-awareness, clarify their values, and cope with stress. Where relevant, and as permitted under our agreements, we use and disclose PHI to provide these coaching services and tools.

Care Operations

We may use and disclose PHI for operations that support the service, such as quality checks on coaching sessions, internal audits, arranging for legal services, training and improving Wave’s artificial intelligence models we use to support and train coaches, and developing our coaching approaches — in each case as permitted by our agreements and applicable law.

Payment

We may use and disclose PHI to support billing and payment for the service, for example to confirm enrollment or eligibility with a partner, as permitted by our agreements.

Business Associates and Subcontractors

Where we engage subcontractors that handle PHI on our behalf, we require them by written agreement to safeguard PHI and use it only as permitted, consistent with our own obligations.

As Required by Law; Threats to Health or Safety; Legal Process

We may use and disclose PHI as required by law; to prevent or lessen a serious threat to health or safety; to law enforcement as permitted by law; and to comply with a court or administrative order, subpoena, or discovery request, with efforts made to notify or obtain a protective order where required — in each case consistent with our agreements and HIPAA.

Additional Restrictions on Use and Disclosure

Certain federal and state laws may require special privacy protections that restrict the use and disclosure of certain health information, including highly confidential information about you. Such laws may protect the following types of information:

  • Alcohol and Substance Abuse

  • Biometric Information

  • Child or Adult Abuse or Neglect, including Sexual Assault

  • Communicable Diseases

  • Genetic Information

  • HIV/AIDS

  • Mental Health

  • Minors’ Information

  • Prescriptions

  • Reproductive Health

  • Sexually Transmitted Diseases

If a use or disclosure of health information described above in this notice is prohibited or materially limited by other laws that apply to us, it is our intent to meet the requirements of the more stringent law.

Minimum Necessary

When we use, disclose, or request PHI, we make reasonable efforts to limit it to the minimum necessary to accomplish the intended purpose, to the extent required by law and our agreements.

Individual Rights Complaints and Questions

If you believe your privacy rights have been violated, you may contact us using the information below. Depending on the circumstances, complaints may also be directed to the Covered Entity partner or to the U.S. Department of Health and Human Services, Office for Civil Rights. We will not retaliate against anyone for filing a complaint.

Contact Us

To contact Wave about this Statement or our privacy practices, email privacy@wavelife.io or write to us at:

Wave Life, Inc.

Attention: Privacy Officer

700 El Camino Real, Suite 120

Menlo Park, CA 94025, United States

Acknowledgment

We provide this Statement so that you understand how Wave safeguards PHI as a Business Associate and the scope of our HIPAA obligations. A copy is available on request.