Security & privacy

Security & data protection

How ClearPath GI protects patient health information — for patients enrolling on their own and for healthcare organizations reviewing safeguards and BAAs.

256-bit encryptionData encrypted in transit and at rest
Free for patientsNo cost, no premium tier, ever
No app requiredReminders sent directly to your phone via SMS or email
BAA for organizationsExecuted before patient-related organization access

How we protect your information

The same safeguards apply whether you enroll independently or your practice partners with ClearPath GI.

If you're a patient

Enrolling in ClearPath GI as a reminder service does not require a Business Associate Agreement with a healthcare organization. We still apply administrative, technical, and physical safeguards appropriate to the health information you provide. We collect only what is needed for reminders and optional practice connection: name, phone, email, date of birth, home ZIP code, and your next due date window. Clinical records, diagnoses, and procedure findings are not collected or stored.

If you're an organization

ClearPath GI LLC is a Business Associate under HIPAA when a covered entity partners with us to access patient contact information for scheduling coordination. That disclosure requires a signed BAA before any organization features that access patient-related data are enabled. Subprocessor and audit documentation for vendor review is provided upon request during onboarding — not as a public download.

At a glance

Summary for vendor review and privacy due diligence.

Platform role

Business Associate (45 CFR §160.103)

PHI collected

Name, phone, email, date of birth, ZIP code, next due date, follow-up interval

PHI not collected

Diagnosis codes, clinical notes, insurance, SSN, financial data

BAA required

Before any patient contact information is disclosed to an organization

Data residency

United States

Subprocessors

Disclosed in executed BAA appendix

Your privacy rights

How patients exercise privacy rights. Read the Notice of Privacy Practices

Access and update your information

View and update your name, contact details, and next due date from your dashboard at any time. For a full copy of what we hold, contact privacy@clearpathgi.com — we acknowledge requests within 5 business days.

Delete your account

Remove your account from account settings. Your profile disappears from organization-facing views immediately. We retain a limited regulatory archive as described in our Notice of Privacy Practices, then permanently delete or de-identify your data.

Revoke organization consent

If you opted in to share contact details with a participating practice, you may revoke that consent from your dashboard at any time. Revocation is effective immediately and is logged.

We will never sell or share your information.

Security controls

Technical and administrative safeguards in production today — not aspirational policies.

Business Associate Agreement (BAA)

A BAA is executed with every healthcare organization before your team can use organization features that access patient-related data (for example, Care Outreach lists and outreach reporting). ClearPath GI LLC is the Business Associate when a covered entity partners for those features. A copy is provided upon request during onboarding and legal review.

Encryption in transit and at rest

All data is transmitted over TLS 1.2 or higher (TLS 1.3 where supported). Patient PHI fields — including name, phone number, email address, and date of birth — are encrypted at rest in the database. Encryption keys are managed separately from application credentials.

Minimum necessary access

ClearPath GI follows the HIPAA minimum necessary standard. Organization invoices can show enrollment counts for purchased ZIP codes or service areas. The organization dashboard lists only patients who opted in to share data for scheduling coordination; contact details are shown only for those patients and only to your organization.

Explicit patient consent for PHI disclosure

Patient contact information constitutes PHI under HIPAA. Before any PHI is disclosed to a healthcare organization, the patient must take an explicit, documented opt-in action from their secure dashboard. Consent is timestamped, logged, and reversible. No passive opt-in, no pre-checked box.

Immutable audit log of PHI access

Every access, disclosure, and modification of PHI is written to an immutable, append-only audit log with the authenticated user, timestamp, IP address, and action type. Logs are retained for 10 years unless a legal hold applies. Organizations may request audit documentation for their patients during vendor review by contacting support@clearpathgi.com.

Automatic session timeout

Authenticated sessions on the patient dashboard show a 60-second countdown warning before automatic logout after 15 minutes of idle time. Organization and administration portal sessions follow the same policy. This is a HIPAA Security Rule control (§164.312(a)(2)(iii)) to protect against unauthorized access on shared or unattended devices.

Organization access model

Each provisioned organization staff member receives a unique login with owner-level access to your organization's dashboard, billing, and care outreach tools. Team access is granted during onboarding by ClearPath GI and recorded in our audit log. Additional role tiers are not offered in the current release.

Sign-in: passwordless for patients, MFA for staff portals

Patients sign in on clearpathgi.com with one-time codes sent by SMS or email—no password to remember, and sign-in stays on our site. Organization staff and platform administrators sign in on their dedicated portal addresses (organization.clearpathgi.com and admin.clearpathgi.com) with email, password, and multi-factor authentication on every login, also without leaving for a separate sign-in page. Credentials are verified by our identity provider; ClearPath GI does not operate its own password database.

Reliability and independent reminder delivery

We design for 99.9% uptime. Reminder delivery runs independently of the patient dashboard — if the dashboard is temporarily unavailable, scheduled reminders continue to send.

HIPAA rules we design around

Administrative, technical, and physical safeguards mapped to the HIPAA Security and Privacy Rules.

Privacy Rule (45 CFR Part 164, Subpart E)

  • PHI is collected only with patient consent
  • Minimum necessary standard applied to all disclosures
  • Patient rights to access, amend, and delete their health information honored
  • No PHI disclosed to organizations without documented patient consent
  • Notice of Privacy Practices presented at enrollment

Security Rule (45 CFR Part 164, Subpart C)

  • Access controls: unique user identifiers, automatic session logoff
  • Audit controls: activity logs for all PHI access and disclosures
  • Integrity controls: data modification requires authenticated action
  • Transmission security: TLS for all data in transit
  • Encryption: PHI encrypted at rest

Breach Notification Rule (45 CFR Part 164, Subpart D)

  • Breach notification procedures established per 45 CFR §164.400
  • BAA includes breach notification obligations and timelines
  • Covered entity will be notified within required timeframes upon discovery of any breach involving their patients

Security questions or vendor review?

For BAA execution, security questionnaires, or subprocessor documentation, use our contact form or email us directly. Include your organization name and legal entity in your message.