Notice of Privacy Practices
Last updated: April 2026 · Draft — Pending Legal Review
GapClose ("we," "our," or "us") is committed to protecting the privacy and security of protected health information (PHI) entrusted to us by healthcare practices. This Notice of Privacy Practices explains what PHI we collect, how we use it, and what rights are available to patients and practices.
1. Protected Health Information We Collect and Process
When healthcare practices use GapClose, we receive and process protected health information (PHI) on their behalf. This includes: patient names and dates of birth, medical record numbers (MRNs), insurance and payer information (member IDs, plan names, lines of business), and clinical data such as lab values (e.g., HbA1c results), screening and exam dates (e.g., diabetic eye exams, colorectal cancer screenings), blood pressure readings, medication records, and diagnosis codes. We also collect account-level information from practice staff, including names, email addresses, and organization details.
2. Our Role: Business Associate
GapClose operates as a Business Associate under HIPAA, not as a Covered Entity. We process PHI only on behalf of the healthcare practices (Covered Entities) that use our platform, and only as permitted under a signed Business Associate Agreement (BAA). We do not have a direct treatment relationship with patients, and we do not make clinical decisions. Our role is limited to providing data analysis and quality-measure tracking tools to the practices we serve.
3. How We Use Protected Health Information
We use PHI strictly for the purposes outlined in our BAA with each practice. Specifically, we use PHI to: identify open HEDIS care gaps and HCC recapture opportunities, generate priority worklists and gap-closure reports, support patient outreach workflows (e.g., letters and call lists), and produce quality-measure dashboards and provider scorecards. We do not sell PHI. We do not share PHI with third parties beyond what is required to deliver the platform services described in our BAA. We do not use PHI for marketing, advertising, or any purpose unrelated to healthcare quality improvement.
4. Data Security
We implement industry-standard security measures to protect PHI, including: AES-256 encryption for PHI at rest, TLS encryption for all data in transit, role-based access control (RBAC) so staff only see data relevant to their role, append-only audit logging for all PHI access, and regular security assessments. We ensure zero PHI appears in application logs or external analytics services.
5. Patient Rights
Because GapClose is a Business Associate, we do not interact directly with patients. Patients who wish to exercise their HIPAA rights — including the right to access, amend, or request an accounting of disclosures of their PHI — should contact their healthcare provider (the Covered Entity) directly. If we receive a patient request, we will direct the individual to the appropriate practice. We support our partner practices in fulfilling these obligations by providing data export and audit-log capabilities.
6. Data Retention and Deletion
We retain PHI for as long as a practice's account is active and as needed to provide our services. Practices may request deletion of their patient data at any time by contacting us. Upon account termination, we delete or de-identify all PHI within 90 days, unless a longer retention period is required by law or by the terms of our BAA. Account-level information (staff names, emails) is retained only as long as necessary for billing and legal compliance after termination.
7. Changes to This Notice
We may update this Notice of Privacy Practices from time to time. If we make material changes to how we handle PHI, we will notify affected practices via email and post the updated notice on our website. The "Last updated" date at the top of this page reflects the most recent revision.
8. Contact Us
If you have questions about this Notice of Privacy Practices, our data handling, or HIPAA compliance, please contact us at: [email protected]