Privacy policy

Effective Date: November 3, 2025

CLIP (referred to as "CLIP," "we," "us," or "our") is committed to protecting the privacy and security of the personal and health information of the members, clients, and partners we serve. This Privacy Policy describes how we collect, use, and disclose information, particularly Protected Health Information (PHI), in compliance with applicable federal and state laws, including the Health Insurance Portability and Accountability Act of 1996 ("HIPAA").


1. Applicability and Legal Framework

1.1 Our Role (Business Associate)

CLIP operates primarily as a Pharmacy Broker/PBM Consultant and provides technology-enabled services (e.g., HUB services, claims analysis, and alternative sourcing) on behalf of Covered Entities (such as health plans, PBMs, and certain employers/TPAs).

  • In this capacity, CLIP acts as a Business Associate (BA) to our clients, and our use and disclosure of PHI are governed by our Business Associate Agreements (BAAs) with those clients.
  • This policy describes our general practices; however, the specific handling of your PHI is ultimately determined by the Notice of Privacy Practices and the plan documents of your employer or health plan (the Covered Entity).

1.2 Information Covered

This policy applies to:

  • Protected Health Information (PHI): Individually identifiable health information that we receive from or create on behalf of our Covered Entity clients, including claims data, drug utilization records, refill information, and eligibility data.
  • Personal Information (PI) / Usage Data: Information collected from users of our website www.clipbenefits.com that does not qualify as PHI, such as IP addresses, browser type, and website usage details.


2. Information We Collect

2.1 PHI Collected for Services

We collect PHI strictly for the purposes of performing services specified in our contracts and BAAs, primarily from your Plan Administrator, PBM, or TPA via Secure FTP (SFTP) or API. This information is necessary for prescription processing, cost containment, and member support. Categories of PHI include:

  • Patient Identification: Member ID, full name, date of birth, gender, address, and contact details.
  • Prescription/Claims Data: Prescription number, NDC code, medication name/strength, quantity, refill information, claims history, prior authorization (PA) status, and cost/reimbursement amounts.
  • Eligibility Data: Plan ID, PBM/PCN numbers, and group number.

2.2 Non-PHI Website and Technical Data

When you access or interact with the CLIP website www.clipbenefits.com, we automatically collect certain technical and usage data that does not constitute Protected Health Information (PHI). This information is used primarily to maintain site security, optimize performance, and understand user engagement.

  • Usage Details: We record specific details of your visits, including traffic patterns, system logs, the specific pages you navigate to, the date and time of your access, and any error reports generated during your session.
  • Device & Connection Information: To ensure a compatible and secure experience, we collect your IP address, operating system, and the type of web browser you are using.
  • Cookies and Tracking Technologies: CLIP utilizes cookies, web beacons, and similar tracking tools to enhance site functionality and provide a more personalized experience. This data is analyzed on an aggregate, de-identified basis to help us improve our digital services without identifying you personally.


3. How We Use and Disclose Information

3.1 Uses and Disclosures of PHI (TPO)

We use and disclose Protected Health Information (PHI) without requiring further authorization strictly for Treatment, Payment, and Healthcare Operations (TPO), as defined by HIPAA, and to fulfill the specific services outlined in our contracts:

  • Treatment: We share necessary data with contracted healthcare providers or licensed international pharmacies to fulfill your prescriptions and ensure continuity of care.
  • Payment: We utilize claims and eligibility data for pharmacy benefit adjudication, rebate aggregation, copay optimization, and the calculation of Guaranteed Net Pricing (GNP) to streamline billing and reduce costs for your plan.
  • Healthcare Operations: We use de-identified data for quality assessment, internal compliance auditing, generating transparent performance reports, and enhancing our proprietary cost-containment engine.

3.2 Specific Service Disclosures

We may disclose PHI to the following parties as necessary to provide our services:

  • PBMs/TPAs: For real-time claim adjudication, data reconciliation, and integration with your existing benefits platform.
  • HUB Service Partners: To coordinate member support, manage prescription retrieval, and provide omnichannel communications.
  • CLIP Network Pharmacies: We disclose PHI to pharmacies within the CLIP network specifically to facilitate the dispensing and shipping of prescription medication orders. These contracted partners manage the dispensing and shipping of medications through mail order and specialty pharmacies, overseeing fulfillment and secure delivery for both domestic and international sourcing, including specialized cold-chain logistics.

3.3 Website Data Use

We use non-PHI website data for the following purposes:

  • To monitor and analyze website activity and improve the performance and design of the site.
  • To respond to user inquiries submitted through contact forms.
  • To comply with legal reporting obligations.


4. Security and Compliance

4.1 Our Commitment to Security

CLIP maintains Administrative, Physical, and Technical Safeguards to protect the confidentiality, integrity, and availability of all electronic Protected Health Information (ePHI).

  • Technical Safeguards: We use encryption for data at rest and in transit (SFTP/API), multi-factor authentication, and robust access controls.
  • Our commitment to compliance extends well beyond program-specific requirements; we prioritize the highest standards of privacy, confidentiality, and HIPAA-regulated security. We maintain rigorous SOC-2 and HIPAA compliance to ensure that every piece of sensitive data is protected by industry-leading safeguards and strictly adheres to all applicable data security regulations.

4.2 Minimum Necessary Rule

CLIP adheres to the Minimum Necessary Rule, ensuring that we access, use, or disclose only the minimum amount of PHI required to perform a specific function.

4.3 Data Retention

We retain PHI only for as long as necessary to fulfill the purposes outlined in this policy and our BAAs, or as required by applicable laws (such as audit requirements for financial transactions).


5. Your Rights Regarding PHI

Since CLIP is a Business Associate, the individual rights listed below are rights you must generally exercise directly with your Covered Entity (your employer or health plan). We will cooperate with your Covered Entity to fulfill these rights as required by law:

  • Right to Access: You have the right to inspect and obtain a copy of your PHI.
  • Right to Request Restrictions: You may request restrictions on how your PHI is used or disclosed for treatment, payment, and healthcare operations.
  • Right to Amend: You have the right to request an amendment of your PHI if you believe it is incorrect or incomplete.
  • Right to an Accounting of Disclosures: You have the right to receive a list of certain disclosures we have made of your PHI.
  • Right to Confidential Communications: You can request that we communicate with you about health matters in a certain way or at a certain location (which would be handled through the Covered Entity).


6. Changes to This Policy and Contact Information

6.1 Changes to the Policy

We reserve the right to change the terms of this Privacy Policy at any time. Any changes will be posted on this page with a revised "Effective Date".