2021.08.03
ClearHealth makes every effort to assure all third-party organizations are compliant and do not compromise the integrity, security, and privacy of ClearHealth or ClearHealth's customer data. Third-Parties include vendors, customers, partners, subcontractors, and contracted developers.
ClearHealth policy requires that:
(a) A list of approved vendors/partners must be maintained and reviewed annually.
(b) Approval from management, procurement and security must be in place prior to onboarding any new vendor or contractor. Additionally, all changes to existing contract agreements must be reviewed and approved prior to implementation.
(c) For any technology solution that needs to be integrated with ClearHealth production environment or operations, a Vendor Technology Review must be performed by the Security Team to understand and approve the risk. Periodic compliance assessment and SLA review may be required.
(d) ClearHealth's customers or partners should not be allowed access outside of their own environment, meaning they cannot access, modify, or delete any data belonging to other third-parties.
(e) Additional vendor agreements are obtained as required by applicable regulatory compliance requirements.
- A standard HIPAA Business Associate Agreement (BAA) is defined and includes the required security controls in accordance with the organization's security policies. Additionally, responsibility is assigned in these agreements. A BAA must be signed with any vendor that may have a business need to access, and/or unsupervised access to PHI or ePHI.