Compliance Audits and External Communications

2025.04.16

ClearHealth may be requested occasionally to share additional details regarding its compliance, privacy, and security program by an external entity, such as a customer, media, legal, or law enforcement. Such external communication, beyond what is already publicly published, needs to comply with the following policies and procedures.

Policy Statements

ClearHealth policy requires that:

(a) ClearHealth operations must comply with all applicable laws, regulations, security standards and frameworks. External audits shall be conducted accordingly to each applicable compliance requirement.

• HIPAA/HITECH. ClearHealth must comply with all requirements listed in the HIPAA (Health Insurance Portability and Accountability Act of 1996) and the Health Information Technology for Economic and Clinical Health (HITECH) Act.
• HITRUST. ClearHealth security program and controls are aligned with the HITRUST Common Security Framework (CSF).

(b) All external communications related to compliance and customer/employee privacy must follow pre-established procedures and handled by approved personnel. This includes, but is not limited to, distribution of audit reports, assessment results, incidents, and breach notification.

(c) Audit and compliance reports may be shared with an external party only when under signed NDA and approved by ClearHealth’s Security and/or Privacy Officer.