Policy Management

2025.04.16

ClearHealth implements policies and procedures to maintain the compliance and integrity of data. The Security Officer and Privacy Officer are responsible for maintaining policies and procedures, and ensuring all ClearHealth’s workforce members, business associates, customers, and partners are adherent to all applicable policies. Previous versions of policies are retained to assure ease of finding policies at specific historic dates in time.

Policy Statements

ClearHealth policy requires that:

(a) ClearHealth policies must be developed and maintained to meet all applicable compliance requirements and adhere to security best practices, including but not limited to:

• HIPAA
• HITRUST
• SOC 2

(b) All policies must be reviewed at least annually.

(c) All policy changes must be approved by ClearHealth’s Security Officer. Additionally,

• Major changes may require approval by ClearHealth’s CEO or designee;
• Changes to policies and procedures related to product development may require approval by the Head of Engineering.

(d) All policy documents must be maintained with version control, and previous versions must be retained for a minimum of seven years.

(e) Policy exceptions are handled on a case-by-case basis.

• All exceptions must be fully documented with business purpose and reasons why the policy requirement cannot be met.
• All policy exceptions must be approved by both: ClearHealth’s Security Officer and COO.
• An exception must have an expiration date no longer than one year from the date of exception approval, and it must be reviewed and re-evaluated on or before the expiration date.