Security & data protection
This page documents ClearPath GI's implemented security controls and data-handling practices for organizational due diligence, vendor questionnaires, and BAA review.
Download BAA Template [PDF — Coming Soon]BAA template available for legal review · BAA must be executed before organization access to patient-related features
Need a signed BAA before onboarding? Contact us.
How HIPAA applies to ClearPath GI
ClearPath GI LLC is a Business Associate under HIPAA. When a healthcare organization (a Covered Entity) partners with ClearPath GI to access patient contact information for scheduling coordination, that is a PHI disclosure that requires a signed BAA.
Patient enrollment in ClearPath GI as a reminder service — without any organizational involvement — does not involve a Covered Entity and does not require a BAA. We still apply strong administrative, technical, and physical safeguards appropriate to the sensitivity of the information you provide.
The PHI involved in the ClearPath GI model is limited to: patient name, phone number, email address, date of birth, and colonoscopy due-date window. Clinical records, diagnoses, and procedure findings are not collected or stored.
Security controls
The following controls represent implemented technical and administrative safeguards — not aspirational policies.
Business Associate Agreement (BAA)
A BAA is executed with every healthcare organization before your team can use organization features that access patient-related data (for example, Care Outreach lists and subscription reporting). ClearPath GI LLC is the Business Associate when a covered entity partners for those features. The BAA governs PHI handling for that relationship.
Encryption in transit and at rest
All data is transmitted over TLS 1.2 or higher. Patient PHI fields — including name, phone number, email address, and date of birth — are encrypted at rest in the database. Encryption keys are managed separately from application credentials.
Minimum necessary access
ClearPath GI follows the HIPAA minimum necessary standard. Subscription invoices can show enrollment counts for purchased ZIPs or service areas. The organization dashboard lists only patients who opted in to share data for scheduling coordination; contact details are shown only for those patients and only to your organization.
Explicit patient consent for PHI disclosure
Patient contact information constitutes PHI under HIPAA. Before any PHI is disclosed to a healthcare organization, the patient must take an explicit, documented opt-in action from their secure dashboard. Consent is timestamped, logged, and reversible. No passive opt-in, no pre-checked box.
Full audit log of all PHI access
Every access, disclosure, and modification of PHI is written to an immutable audit log with the authenticated user, timestamp, IP address, and action type. Audit logs are retained per HIPAA Security Rule requirements and are available to covered entity administrators in the organization portal.
Automatic session timeout
Authenticated sessions on the patient dashboard show a 60-second countdown warning before automatic logout after 15 minutes of idle time. Organization portal sessions follow the same policy. This is a HIPAA Security Rule control (§164.312(a)(2)(iii)) to protect against unauthorized access on shared or unattended devices.
Role-based access control (RBAC)
Organization portals implement three roles: Admin (full access including billing and team management), Staff (care outreach list access and patient contact workflows), and Read-Only Viewer (aggregate views without individual patient contact details). Role assignments are managed by the organization Admin and are logged.
Sign-in: passwordless for patients, MFA for organizations
Patients sign in with one-time codes sent by SMS or email (no password you must remember). Organization staff sign in through our identity provider with email and password plus email-based MFA for each session. ClearPath GI does not operate a separate password database for either audience.
HIPAA rules we design around
Privacy Rule (45 CFR Part 164, Subpart E)
- PHI is collected only with patient consent
- Minimum necessary standard applied to all disclosures
- Patient rights to access, amend, and delete their records honored
- No PHI disclosed to organizations without documented patient consent
- Notice of Privacy Practices available at enrollment
Security Rule (45 CFR Part 164, Subpart C)
- Access controls: unique user identifiers, automatic session logoff
- Audit controls: activity logs for all PHI access and disclosures
- Integrity controls: data modification requires authenticated action
- Transmission security: TLS for all data in transit
- Encryption: PHI encrypted at rest
Breach Notification Rule (45 CFR Part 164, Subpart D)
- Breach notification procedures established per 45 CFR §164.400
- BAA includes breach notification obligations and timelines
- Covered entity will be notified within required timeframes upon discovery of any breach involving their patients
Patient rights under HIPAA and state law
Right to access
Patients may request a copy of the personal data ClearPath GI holds about them at any time. Requests are fulfilled within 30 days.
Right to correction
Patients may update their name, contact information, last colonoscopy date, or follow-up interval from their dashboard at any time without submitting a formal request.
Right to deletion
Patients may delete their entire account from account settings. When you delete your data, your account is removed immediately and organizations can no longer access your information through ClearPath GI. We retain a limited regulatory archive for the period described in our Privacy Policy; after that period, your data is permanently deleted.
Right to revoke consent
Patients who have opted in to contact by an organization may revoke that consent at any time from their dashboard. Revocation is effective immediately and is logged.
Right to restrict disclosure
Patients who do not consent to contact are not listed on organization dashboards. Subscription reporting may still show high-level enrollment counts for purchased ZIPs or service areas without identifying individuals who have not opted in.
Right to data portability
Patients may request their data in a machine-readable format by contacting support@clearpathgi.com.