1. ClearDATA’s CyberHealth™ Platform Assessment and Risk Management

Assessment and Risk management is a capability of the ClearDATA CyberHealth™ Platform with a professional services component. This platform capability is designed to thoroughly assess the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronically protected health information (ePHI). HIPAA regulations mandate the risk analysis under the HIPAA) Security Rule 45 C.F.R. Section 164.308(a)(ii)(A). The risk analysis is also a requirement under the Centers for Medicare and Medicaid Services (CMS) Incentive Programs, Medicare Access, and CHIP Reauthorization Act (MACRA) and, Merit-Based Incentive Payments System (MIPS). The Customer receives one assessment on each anniversary (i.e., twelve-month period) during the subscription term. ClearDATA Assessment and Risk Management does not include the remediation of findings. However, the Customer may hire ClearDATA professional services to remediate identified threats and vulnerabilities under a separate agreement.

2. Platform Capability

A subscription to ClearDATA CyberHealth™ Assessment and Risk Management provides the customer with a semi-automated method to collaborate with ClearDATA’s professional services team in the collection of relevant administrative, physical, and technical control evidence, delivery of ClearDATA documents, and tracking the remediation of risks.

3. Services

3.1 Evidence Gathering and Risk Assessment

ClearDATA shall do each of the following:

  • Conduct a kickoff meeting with the Customer’s team (e.g., Security, Privacy, Compliance official, IT, HR, Legal, Facilities) who will be involved with the engagement. The purpose of the meeting is to explain the assessment process, expectations, roles, and timeline.
  • Review the Customer’s existing policies and procedures documentation that directly correlate with the HIPAA Security Rule requirements. Identify deficiencies in the policies and procedures documentation, if any. ClearDATA will provide a template the Customer’s team can use to cross-reference their documentation if it does not annotate or footnote the relevant Security Rule regulation section (e.g., §164.308(a)(8)) each policy is addressing in the documentation.
  • Guide the Customer’s team in identifying and documenting where PHI exists (e.g., on servers, workstations, portable devices, medical devices, or with Business Associates, etc.) and the security controls in place to protect the data. ClearDATA will provide a method for documenting the ePHI inventory.
  • Conduct a checkpoint meeting with the Customer’s team to offer initial feedback regarding the policies and procedures documentation provided and review the ePHI inventory. If the ePHI inventory was not documented before the checkpoint meeting, then the meeting time will be used to document as much of the inventory as possible.
  • Conduct a risk assessment meeting (up to eight hours) with the Customer’s team to assess the existing controls for each of the Security Rule requirements.
  • Determine whether evidence is being maintained to support the organization’s compliance with the regulations, assess the organization’s preparedness for various natural, man-made and malicious threats, and note the findings (i.e. risks) and recommendations (i.e. corrective actions) to be included in the Security Risk Analysis (SRA) Report. The Customer’s team will be strongly urged to acknowledge and discuss areas in need of security improvements during the meeting.
  • Document the preliminary risk findings and recommendations based on the risk assessment meeting discussions and provide this draft information to the Customer’s team for review.
  • Provide the Customer’s team with an opportunity to send feedback and/or proposed language changes to the preliminary risk findings and recommendations, if any, to ClearDATA within 10 business days to confirm the information reflects the risk assessment meeting discussions. If no changes are received by the end of the tenth business-day review period, the next step will be to prepare and send the final engagement documents.

3.2 Report Delivery

  • Deliver a final Security Risk Analysis Report (i.e., one report).
  • Deliver a Risk Management Plan for planning and tracking remediation progress against each risk documented in the final Security Risk Analysis Report.
  • If requested, deliver a presentation of the material Security Risk Analysis Report findings and recommendations to the Customer’s Executive/IT management.
  • If requested, deliver a comprehensive set of HIPAA Security Rule policies and procedures “master document” templates to the Customer to integrate their standard operating procedures into the templates.
  • If requested, coordinate a scoping meeting with a ClearDATA Cybersecurity Partner if applicable. For clarity, a Cybersecurity Partner may be leveraged to provide cybersecurity services such as penetration testing, phishing simulation, or other services requested by the Customer that may not be provided by ClearDATA.
  • If requested, prepare and deliver a Letter of SRA completion
  • The assessment concludes when ClearDATA delivers the final SRA Report and Risk Management Plan documents, or a final meeting is conducted

3.3 Technical Guidance & Support

During the project, the SRA Team will provide customer training on how to use the Assessment and Risk module of the CyberHealth™ Platform to monitor their compliance posture as well as how to use ClearDATA’s ticketing system.

If Customers need additional guidance and thought leadership, have questions about the report, or future requests, they should coordinate with their Security and Risk Analyst assigned to the project.

For troubleshooting related to technical difficulties with the Assessment and Risk module, Customers can open tickets in the support module.

Customers may request product, compliance, and technical support by opening a support ticket on the ClearDATA customer portal:  https://cyberhealth.cleardata.com.

ClearDATA Business Hours:24x7x365, including U.S. Holidays.

4. Customer Obligations

4.1 Customer Point of Contact

The Customer shall designate a single point-of-contact and back-up contact with the decision-making authority for the Services (the “Customer POC”). The Customer POCs must understand the Customer’s processes and procedures related to the management of protected health information and have a reasonable technical understanding of the Customer’s data management systems. The primary POC will be responsible for coordinating with the ClearDATA Team on project communication and activities. The back-up POC will be available in case the primary POC is not available and unresponsive.

Without consistent communication with Customer POCs, key milestones could be missed and timelines might need to be adjusted. The Customer POC must be reasonably available during business hours to confer with ClearDATA.

4.2 Customer Cooperation

Customer shall promptly provide information and materials and give ClearDATA appropriate access to its facilities and relevant systems, as ClearDATA reasonably requests to complete the Services. ClearDATA is excused for the late performance of the Services to the extent the delay results from Customer’s failure or delay in providing information, materials, or access. The Customer acknowledges that its material or chronic delay is a material breach of the Agreement, giving rise to a right of termination. In addition to any other remedies available to ClearDATA regarding such breach, ClearDATA may reschedule the Services and charge Customer rescheduling fees as described below. The Customer acknowledges that the quality of the Services deliverables depends on the Customer providing accurate and complete information related to its management of ePHI or other sensitive information. The Customer acknowledges that ClearDATA’s fees for the Services may exceed the estimate stated in the applicable Order Form if ClearDATA is required to re-perform any part of the Services due to the Customer’s provision of inaccurate or incomplete information.

4.3 Risk Report

The Customer may not share ClearDATA’s Security Risk Analysis Report (“Risk Report”) with a third party except with ClearDATA’s consent and only in the complete and unmodified form as the Risk Report is provided to the Customer by ClearDATA. The Customer shall ensure that each copy of the Risk Report that is disclosed to a third party includes the Notice to Third Parties in the form set out in Section 6 below. The Customer shall also require each third party to whom it provides the Risk Report sign written confidentiality obligations covering the Risk Report that prohibit further disclosure or use for purposes other than those described in the Notice to Third Parties. The Customer may not combine the Risk Report with other materials except as expressly permitted in advance by ClearDATA.

4.4 Scheduling Changes

The Customer acknowledges that ClearDATA will schedule internal and may schedule third-party resources based on Customer’s commitment to Services start and completion dates stated in the Order Form. At the Customer’s request, ClearDATA will use reasonable efforts to reschedule the performance of the Services, provided that the Customer agrees to pay any additional expense incurred by ClearDATA resulting from the rescheduling. If Customer cancels or reschedules the performance of the Services less than two weeks before the scheduled start date, ClearDATA may charge the entire fee for the Services plus its out-of-pocket expenses incurred in connection with the scheduled Services. If the Customer cancels or reschedules the Services two weeks or longer before the scheduled date ClearDATA may charge ClearDATA’s out-of-pocket expenses incurred in connection with the scheduled Services. In no event shall ClearDATA be required to refund to Customer any prepaid fees or deposits for any canceled or rescheduled Services or any fees for third party materials.

4.5 ClearDATA Materials

ClearDATA retains all rights, title, and interest in and to any materials provided to the Customer for its use in enabling ClearDATA to provide the Services, whether in text, visual, audio, or other forms. Customer is licensed to use ClearDATA’s materials only for the purposes they were provided. The Customer may not copy the materials without ClearDATA’s prior written consent and may not distribute the materials, in whole or in part, to any third party. The Customer must comply with any additional terms of use or restrictions of any other third party whose materials or information is provided as part of the Services.

4.6 Recordings

The Customer may not record or transcribe any presentations given as part of the Services, in text, audio, visual or other form or media, without ClearDATA’s prior written consent and may use the recording or transcription as expressly stated otherwise in that consent.

5. Third-Party Services

ClearDATA may recommend third-party services in connection with the Services, such as penetration tests, vulnerability scans, or other related services. ClearDATA warrants that it shall coordinate the delivery of third-party services according to the standards and requirements of the third-party, but otherwise make no representation or warranty whatsoever about the third-party services. Third-party services delivered or coordinated by ClearDATA are provided as-is.