2021.07.27
Security and compliance is everyone's responsibility. ClearHealth is committed to ensuring all workforce members actively address security and compliance in their roles. Statistically, cybersecurity breaches typically start with compromise of end-user computing devices, social engineering, human error, or insider threat. Therefore, users are the first line of defense; yet, they are ironically the weakest link. As such, training is imperative to assuring an understanding of current best practices, the different types and sensitivities of data, and the sanctions associated with non-compliance.
In this, and all related policy documents, the terms "employees" and "workforce members" may be used interchangeably to include all full-time and part-time employees in all job roles, contractors and subcontractors, volunteers, interns, managers, and executives at ClearHealth.
The Security Officer, in collaboration with the Privacy Officer, is responsible for facilitating the development, testing, implementation, training, and oversight of all activities pertaining to ClearHealth's efforts to be compliant with the applicable security and compliance regulations and industry best practices. The intent of the Security Officer's responsibilities is to maintain the confidentiality, integrity, and availability of critical and sensitive data. The Security and Privacy Officer is appointed by, and reports to, the Board of Directors and/or the CEO.
ClearHealth has appointed Kevin Lynch as the Security Officer and Maris Mejia as the Privacy Officer.
An official Security Committee has been formed, chaired by the Security Officer, and represented by the select members of the senior leadership team: Security Officer, Privacy Officer, CIO, COO, and the CEO.
ClearHealth policy requires that:
(a) A Security and Privacy Officer [164.308(a)(2)] must be appointed to assist in maintaining and enforcing safeguards towards security, compliance, and privacy.
(b) Security and compliance is the responsibility of all workforce members: employees, contractors, interns, and managers/executives. All workforce members are required to:
-
Complete all required security training, including annual regulatory compliance training and security awareness, as part of the ongoing security awareness program and as required by job role.
-
Complete annual HIPAA awareness training
-
Follow all security requirements set forth in ClearHealth's security policy and procedures, including but is not limited to, access control policies and procedures and acceptable use policy for end-user computing.
-
See something, say something: follow the incident reporting procedure to report all suspicious activities to the security team.
(c) All workforce members are required to report non-compliance of ClearHealth's policies and procedures to the Security Officer or designee. Individuals that report violations in good faith may not be subjected to intimidation, threats, coercion, discrimination against, or any other retaliatory action as a consequence.
(d) All workforce members are required to cooperate with federal, state, and local law enforcement activities and legal investigations. It is strictly prohibited to interfere with investigations through willful misrepresentation, omission of facts, or by the use of threats against any person.
(e) Workforce members found to be in violation of this policy will be subject to sanctions.
(f) Segregation of Duties shall be maintained, when applicable, to ensure proper checks and balances and minimize conflict of interests. This helps reduce the possibility of fraud and insider threat considerably, and eliminates single points of compromise to critical systems.