ClearDATA Assess® Service Description
This is the Service Description for ClearDATA Assess.
- ClearDATA Assess
- Customer Obligations
- Third-Party Services
- Notice to Third-Parties
1. ClearDATA Assess®
ClearDATA Assess® is purpose-built software and professional services that is designed to provide thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronically protected health information (ePHI) under the requirements of the Health Insurance Portability and Accountability Act (HIPAA) of 1996 Security Rule 45 C.F.R. Section 164.308(a)(ii)(A) regulation as well as the requirement for a security risk analysis (SRA) under the Centers for Medicare and Medicaid Services (CMS) Incentive Programs, Medicare Access and CHIP Reauthorization Act (MACRA) and, Merit-Based Incentive Payments System (MIPS). The Customer receives one assessment on each anniversary (i.e., twelve-month period) during the subscription term. ClearDATA Assess does not include the remediation of risks. However, ClearDATA may be able to offer other professional services to help with remediation.
A subscription to ClearDATA Assess provides the customer with an automated method to collaborate with ClearDATA’s professional services team in the collection of relevant assessment evidence, delivery of ClearDATA documents, and tracking the remediation of risks.
3.1 Evidence Gathering and Risk Assessment
ClearDATA shall do each of the following:
- Conduct a kickoff meeting with the Customer’s team (e.g., Security, Privacy, Compliance official, IT, HR, Legal, Facilities) who will be involved with the engagement. The purpose of the meeting is to explain the assessment process, expectations, roles, and timeline.
- Review the Customer’s existing policies and procedures documentation that directly correlates to the HIPAA Security Rule regulations. Identify deficiencies in the policies and procedures documentation, if any. ClearDATA will provide a template the Customer’s team can use to cross-reference their documentation if it does not annotate or footnote the relevant Security Rule regulation section (e.g., §164.308(a)(8)) each policy is addressing in the documentation.
- Guide the Customer’s team in identifying and documenting where HIPAA-covered ePHI data exists (e.g., on servers, workstations, portable devices, medical devices, or with Business Associates, etc.) and the security controls in place to protect the data. ClearDATA will provide a method for documenting the ePHI inventory.
- Conduct a checkpoint meeting with the Customer’s team to offer initial feedback regarding the policies and procedures documentation that was provided and review the ePHI inventory that was documented. If the ePHI inventory was not documented before the checkpoint meeting, then the meeting time will be used to document as much of the inventory as possible.
- Conduct a risk assessment meeting (up to eight-hours) with the Customer’s team to assess the existing controls in place for each of the Security Rule regulations, determine whether evidence is being maintained to support the organization’s compliance with the regulations, assess the organization’s preparedness for various natural, man-made and malicious threats, and note the findings (i.e. risks) and recommendations (i.e. corrective actions) to be included in the Security Risk Analysis Report. The Customer’s team will be strongly urged to acknowledge and discuss areas in need of security improvements during the meeting.
- Document the preliminary risk findings and recommendations based on the risk assessment meeting discussions and provide this draft information to the Customer’s team for review.
- Provide the Customer’s team with an opportunity to send feedback and/or proposed language changes to the preliminary risk findings and recommendations, if any, to ClearDATA within five business days to confirm the information reflects the risk assessment meeting discussions. If no changes are received by the end of the five-business-day review period, the next step will be to prepare and send the final engagement documents.
3.2 Report Delivery
- Deliver a final Security Risk Analysis Report (i.e., one report).
- Deliver a Risk Management Plan for planning and tracking remediation progress against each risk documented in the final Security Risk Analysis Report.
- Deliver a presentation of the significant Security Risk Analysis Report findings and recommendations to the Customer’s Executive/IT management, if requested.
- Deliver a comprehensive set of HIPAA Security Rule policies and procedures “master document” templates to the Customer to integrate their standard operating procedures into the templates, if requested.
- Coordinate a scoping meeting with ClearDATA’s Cybersecurity Partner, if requested.
- The assessment ends when the final Security Risk Analysis Report and Risk Management Plan documents are delivered, or a final meeting is conducted.
- The assessment service will be performed on a remote basis.
- If the Customer requests onsite assessment services travel expenses are incurred. Onsite assessments typically involve one day, up to three days, at the Customer’s location. The Customer shall pay ClearDATA’s actual and reasonable travel expenses associated with travel to and from the Customer’s location(s) including air and ground transportation, lodging, meals, and incidentals such as Wi-Fi charges Travel expenses are billed separately at actual cost.
4. Customer Obligations
4.1 Customer Point of Contact
The Customer shall designate a single point of contact who has decision making authority with respect to the Services (the “Customer POC”). The Customer POC must understand the Customer’s processes and procedures as they relate to the management of protected health information, and have a reasonable technical understanding of Customer’s data management systems. The Customer POC must be reasonably available during business hours to confer with ClearDATA.
4.2 Customer Cooperation
Customer shall promptly provide information and materials, and give ClearDATA access to its facilities and systems, as ClearDATA reasonably requests for the purpose of completing the Services. ClearDATA is excused for the late performance of the Services to the extent the delay results from Customer’s failure or delay in providing information, materials, or access. The Customer acknowledges that its material or chronic delay is a material breach of the Agreement, giving rise to a right of termination. In addition to any other remedies available to ClearDATA in respect of such breach, ClearDATA may reschedule the Services and charge Customer rescheduling fees as described below. The Customer acknowledges that the quality of the Services deliverables depends on Customer providing accurate and complete information related to its management of ePHI or other sensitive information. The Customer acknowledges that ClearDATA’s fees for the Services may exceed the estimate stated in the applicable Order Form if ClearDATA is required to re-perform any part of the Services as a result of Customer’s provision of inaccurate or incomplete information.
4.3 Risk Report
The Customer may not share ClearDATA’s Security Risk Analysis Report (“Risk Report”) with a third party except with ClearDATA’s consent and only in the complete and unmodified form as the Risk Report is provided to Customer by ClearDATA. The Customer shall ensure that each copy of the Risk Report that is disclosed to a third party includes the Notice to Third Parties in the form set out in Section 6 below. The Customer shall also require each third party to whom it provides the Risk Report sign written confidentiality obligations covering the Risk Report that prohibit further disclosure or use for purposes other than those described in the Notice to Third Parties. The Customer may not combine the Risk Report with other materials except as expressly permitted in advance by ClearDATA.
The Customer POC will perform any interim review reasonably requested by ClearDATA in connection with interim reports or other service deliverables and provide detailed feedback to enable ClearDATA to complete the Services. The Customer will give ClearDATA notice of its acceptance or rejection of the final Services and related reports and deliverables promptly on completion of the Services and delivery of the deliverables. If the Customer has not provided a written notice of rejection on or before the 10th business day from delivery or completion, the Services and related deliverables will be deemed accepted as of the 10th business day. Customer may reject the Services or deliverables only if they fail to conform to the Services requirements. The Customer shall identify the specific way(s) in which the Services or deliverables fail to conform to the Services in its rejection notice. ClearDATA will have 10 business days from the notice of rejection to cure any items of non-conformance and resubmit the Service for acceptance. The Customer will then have a second 10 business day period to test and evaluate the Services and deliverables. If the Customer rejects the Services or deliverables a second time, the Services are terminated, and the parties agree to negotiate in good faith to resolve any outstanding fees for Services provided.
4.5 Scheduling Changes
The Customer acknowledges that ClearDATA will schedule internal and may schedule third-party resources based on Customer’s commitment to Services start and completion dates stated in the Order Form. On Customer’s request, ClearDATA will use reasonable efforts to reschedule an agreed date for the performance of the Services, provided that Customer agrees to pay any additional expense incurred by ClearDATA as a result of the rescheduling. If Customer cancels or reschedules the performance of the Services less than two weeks before the scheduled start date, ClearDATA may charge the entire agreed fee for the Services plus its out-of-pocket expenses incurred in connection with the scheduled Services. If the Customer cancels or reschedules the Services two weeks or longer before the scheduled date ClearDATA may charge ClearDATA’s out-of-pocket expenses incurred in connection with the scheduled Services. In no event shall ClearDATA be required to refund to Customer any prepaid fees or deposits for any canceled or rescheduled Services, or any fees for third party materials.
4.6 ClearDATA Materials
The Customer may not record or transcribe any presentations given as part of the Services, in text, audio, visual or other form or media, without ClearDATA’s prior written consent and may use the recording or transcription as expressly stated otherwise in that consent.
5. Third-Party Services
ClearDATA may recommend third-party services in connection with the Services, such as penetration tests, vulnerability scans, or other related services. ClearDATA warrants that it shall coordinate the delivery the third-party services in accordance with the standards and requirements of the third-party, but otherwise make no representation or warranty whatsoever about the third-party services. Third-party services delivered or coordinated by ClearDATA are provided AS IS.
6. Notice to Third-Parties
Notice to Third Parties from ClearDATA Networks, Inc.
This report includes confidential information of ClearDATA Networks, Inc. ClearDATA permits Customer to disclose this report to you on the following conditions:
- You not further disclose this report to any other person;
- You understand that ClearDATA undertakes no responsibility to you as to the subject matter of this report; and
- ClearDATA disclaims any warranty or representation that the Customer’s security safeguards meet your business or security requirements.
This report was prepared under a contractually agreed specification between ClearDATA and the Customer, based on information provided to ClearDATA by the Customer. It is provided to you for informational purposes only. You should rely only on your verification of the risks, controls, and safeguards covered by this report.