System Audits, Monitoring and Assessments

2025.04.16

ClearHealth shall audit, monitor, and assess the access and activity of systems and applications that process or store production and/or sensitive data such as personally identifiable information (PII) and electronic protected health information (ePHI) in order to ensure compliance.

It is required by the HIPAA Security Rules, that healthcare organizations implement reasonable hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.

Audit activities may be limited by application, system, and/or network auditing capabilities and resources. ClearHealth shall make reasonable and good-faith efforts to safeguard information privacy and security through a well-thought-out approach to auditing that is consistent with available resources.

It is the policy of ClearHealth to safeguard the confidentiality, integrity, and availability of applications, systems, and networks. To ensure that appropriate safeguards are in place and effective, ClearHealth shall audit access and activity to detect, report, and guard against:

This policy applies to all ClearHealth systems that store, transmit, or process sensitive information.

Policy Statements

ClearHealth policy requires that:

(a) All critical computing systems and software, both virtual and physical, must enable audit logging.

(b) Audit logs must include sufficient information to identify who did what, when, and where.

(c) An annual audit of ClearHealth security controls must be conducted, either by a designated internal audit team or a qualified external audit firm.

(d) Comply with all relevant legal requirements applicable to its monitoring of authorized access and unauthorized access attempts.