Third Party Security, Vendor Risk Management and Systems/Services Acquisition

2025.04.16

ClearHealth makes every effort to assure all third-party organizations are compliant and do not compromise the integrity, security, and privacy of ClearHealth or ClearHealth’s customer data. Third-Parties include vendors, customers, partners, subcontractors, and contracted developers.

Policy Statements

ClearHealth policy requires that:

(a) A list of approved vendors/partners must be maintained and reviewed annually.

(b) Approval from management, procurement and security must be in place prior to onboarding any new vendor or contractor. Additionally, all changes to existing contract agreements must be reviewed and approved prior to implementation.

(c) For any technology solution that needs to be integrated with ClearHealth production environment or operations, a Vendor Technology Review must be performed by the Security Team to understand and approve the risk. Periodic compliance assessment and SLA review may be required.

​​​(d) ClearHealth ensures that third-party organizations use appropriate change management procedures for any changes to a third-party service or organizational system. The risk management process is tracked in Mercury.

​(e) ClearHealth delegated to Rackspace and Optum the periodic audit of  the network services to ensure that network service providers  have implemented the required security features and meet the requirements agreed with management, including new and existing regulations.

(f) ClearHealth’s customers or partners should not be allowed access outside of their own environment, meaning they cannot access, modify, or delete any data belonging to other third-parties.

(g) Additional vendor agreements are obtained as required by applicable regulatory compliance requirements.