HIPAA Compliance
Notice of Privacy Practices | Effective: April 2026
Notice of Privacy Practices
This Notice of Privacy Practices describes how Leap 4 Health may use and disclose your protected health information (PHI) and how you can access this information. Please review it carefully.
Leap 4 Health is required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) to maintain the privacy and security of your PHI, to provide you with this notice of our legal duties and privacy practices, and to follow the terms of this notice currently in effect.
How We Protect Your Health Information
Leap 4 Health implements comprehensive administrative, technical, and physical safeguards to protect your PHI in accordance with HIPAA Security Rule requirements.
Administrative Safeguards
- Designated HIPAA Privacy Officer responsible for policy development and compliance
- Workforce training on HIPAA requirements and information handling procedures
- Documented policies and procedures for the use and disclosure of PHI
- Regular risk assessments to identify and mitigate threats to PHI
- Sanctions for workforce members who violate privacy and security policies
Technical Safeguards
- End-to-end encryption for all data in transit and at rest
- Role-based access controls ensuring that only authorized personnel can access PHI
- Unique user identification and authentication for all system users
- Automatic session timeouts and account lockout after failed authentication attempts
- Audit logging of all access to and modification of PHI
- Secure backup and disaster recovery procedures
Physical Safeguards
- Cloud infrastructure hosted in SOC 2 Type II certified data centers
- Restricted physical access to systems that store or process PHI
- Secure disposal of hardware and media containing PHI
Your Rights Under HIPAA
Under HIPAA, you have the following rights regarding your protected health information. To exercise any of these rights, submit a written request to our HIPAA Privacy Officer at support@leap4health.org.
Right to Access
You have the right to inspect and obtain a copy of your PHI that is maintained in our records, including medical records, billing records, and other records used to make decisions about your care. We will provide your records in the format you request if it is readily producible, or in a mutually agreed-upon alternative format. We may charge a reasonable, cost-based fee for copies. We will respond to your request within thirty (30) days.
Right to Amendment
You have the right to request that we amend your PHI if you believe it is inaccurate or incomplete. We will respond to your request within sixty (60) days. We may deny your request in certain circumstances, such as if the information was not created by us or if we determine the existing information is accurate and complete. If we deny your request, we will provide a written explanation, and you may submit a statement of disagreement.
Right to an Accounting of Disclosures
You have the right to receive a list of certain disclosures we have made of your PHI. This accounting does not include disclosures made for treatment, payment, or healthcare operations, or disclosures you have authorized in writing. The accounting covers the six (6) years prior to the date of your request. The first accounting in any twelve-month period is free of charge; we may charge a reasonable fee for additional requests.
Right to Request Restrictions
You have the right to request restrictions on how we use or disclose your PHI for treatment, payment, or healthcare operations. We are not required to agree to your request unless the disclosure is to a health plan for payment or healthcare operations purposes and the PHI pertains to a service for which you have paid in full out of pocket. If we agree to a restriction, we will comply with it except in emergency situations.
Right to Confidential Communications
You have the right to request that we communicate with you about your health information through alternative means or at alternative locations. For example, you may request that we contact you only by email or only at a specific phone number. We will accommodate reasonable requests.
Right to File a Complaint
If you believe your privacy rights have been violated, you have the right to file a complaint. You will not be retaliated against for filing a complaint. Complaints may be filed in two ways:
- With Leap 4 Health by contacting our HIPAA Privacy Officer at support@leap4health.org
- With the U.S. Department of Health and Human Services Office for Civil Rights by visiting www.hhs.gov/ocr/privacy/hipaa/complaints or by calling 1-877-696-6775
Filing a Complaint
If you believe that Leap 4 Health has violated your privacy rights or that your PHI has been compromised, we encourage you to contact us directly so we can investigate and resolve the issue.
To file a complaint with Leap 4 Health:
- Send a written description of your concern to our HIPAA Privacy Officer at support@leap4health.org
- Include your name, contact information, and a description of the issue
- We will acknowledge receipt of your complaint within five (5) business days
- We will investigate and provide a written response within thirty (30) days
You also have the right to file a complaint directly with the U.S. Department of Health and Human Services. Filing a complaint will not affect your care or your relationship with Leap 4 Health. We do not retaliate against individuals who file complaints.
Business Associate Agreements
Leap 4 Health works with third-party service providers who may access, create, receive, maintain, or transmit PHI on our behalf. These entities are known as Business Associates under HIPAA.
We require all Business Associates to enter into a Business Associate Agreement (BAA) before they are permitted to handle PHI. These agreements contractually obligate Business Associates to:
- Implement appropriate safeguards to protect PHI
- Report any security incidents or breaches to Leap 4 Health
- Ensure that any subcontractors handling PHI also agree to the same restrictions
- Make PHI available to patients upon request as required by HIPAA
- Return or destroy PHI at the termination of the agreement
Our Business Associates include cloud hosting providers, payment processors, pharmacy partners, laboratory service providers, and our technology partner, Michai Media.
Data Breach Notification
In the event of a breach of unsecured PHI, Leap 4 Health will comply with the HIPAA Breach Notification Rule and all applicable state breach notification laws. Our breach notification procedures include the following:
Individual Notification
We will notify affected individuals without unreasonable delay and no later than sixty (60) days after discovery of a breach. Notification will be provided in writing by first-class mail or, if the individual has agreed to electronic notice, by email. The notification will include a description of what happened, the types of information involved, steps individuals can take to protect themselves, what we are doing in response, and contact information for follow-up questions.
HHS Notification
For breaches affecting 500 or more individuals, we will notify the U.S. Department of Health and Human Services without unreasonable delay and no later than sixty (60) days after discovery. For breaches affecting fewer than 500 individuals, we will report them to HHS within sixty (60) days of the end of the calendar year in which they were discovered.
Media Notification
For breaches affecting 500 or more residents of a single state or jurisdiction, we will notify prominent media outlets in that area without unreasonable delay and no later than sixty (60) days after discovery.
Investigation and Mitigation
Upon discovering a potential breach, we will immediately initiate an investigation, take steps to mitigate harm, implement corrective actions to prevent recurrence, and document our findings and response. Our incident response team includes designated personnel trained to handle breach investigations and notifications.
Contact Our HIPAA Privacy Officer
For questions about this notice, our privacy practices, or to exercise your HIPAA rights, please contact:
This notice is available on our website and will be provided to you upon request. We reserve the right to change the terms of this notice and to make new provisions effective for all PHI that we maintain. If we make material changes, we will post a revised notice on our website and notify you through the platform.