Corrective Action Obligations. The FMCNA Covered Entities agree to the following:
A. Conduct Risk Analysis
1. The FMCNA Covered Entities shall conduct an accurate and thorough assessment of the potential security risks and vulnerabilities to the confidentiality, integrity, and availability of the FMCNA Covered Entities’ electronic protected health information (“ePHI”) (“Risk Analysis”). The Risk Analysis shall incorporate the FMCNA Covered Entities’ facilities, whether owned or rented, and evaluate the risks to the ePHI on their electronic equipment, data systems, and applications controlled, administered or owned by the FMCNA Covered Entities, that contain, store, transmit, or receive ePHI. Prior to conducting the Risk Analysis, the FMCNA Covered Entities shall develop a complete inventory of all of their facilities, categories of electronic equipment, data systems, and applications that contain or store ePHI, which will then be incorporated into their Risk Analysis.
2. Within fourteen (14) days of the Effective Date, the FMCNA Covered Entities shall submit to HHS the scope and methodology by which they propose to conduct the Risk Analysis described in paragraph
A.1. HHS shall notify the FMCNA Covered Entities whether the proposed scope and methodology is or is not consistent with 45 C.F.R. § 164.308 (a)(1)(ii)(A).
3. The FMCNA Covered Entities shall provide the Risk Analysis, consistent with paragraph V.A.l , to HHS within one hundred eighty (180) days of HHS’ approval of the FMCNA Covered Entities’ methodology described in paragraph V.A.2 for HHS’ review. Within ninety (90) days of its receipt of the FMCNA Covered Entities’ Risk Analysis, HHS will inform FMCNA Contact in writing as to whether HHS approves of the Risk Analysis or, if necessary to ensure compliance with 45 C.F.R. § 164.308(a)(1)(ii)(A), requires revisions to the Risk Analysis. If HHS requires revisions to the Risk Analysis, HHS shall provide FMCNA Contact with a detailed, written explanation of such required revisions and with comments and recommendations in order for the FMCNA Covered Entities to be able to prepare a revised Risk Analysis. Upon receiving notice of required revisions to the Risk Analysis from HHS and a description of any required changes to the Risk Analysis, the FMCNA Covered Entities shall have sixty (60) days in which to revise their Risk Analysis accordingly and submit the revised Risk Analysis to HHS for review and approval. This submission and review process shall continue until HHS approves the ...
Corrective Action Obligations. UW agrees to the following:
A. Security Management Process.
Corrective Action Obligations. CU agrees to take the following corrective actions to address the Covered Conduct. To the extent necessary, CU shall collaborate with New York-Presbyterian (NYP) for the purpose of implementing the actions specified below:
A. Conduct a thorough Risk Analysis
Corrective Action Obligations. NYP agrees to take the following corrective actions. For purposes of the Agreement, the term “affiliated staff’ refers to all medical personnel who are employees of Columbia University, but who nonetheless are authorized to treat patients at NYP and have been granted authorization to access NYP ePHI. To the extent necessary, NYP shall collaborate with the Trustees of Columbia University in the City of New York (CU) for the purpose of implementing the actions specified below:
Corrective Action Obligations. Skagit County agrees to the following:
Corrective Action Obligations. SEMC agrees to the following:
A. SEMC Self-Assessment
1. Purpose of Self-Assessment: Within one hundred twenty (120) calendar days of the Effective Date, SEMC or its designee shall conduct an assessment in accordance with Section V.A.2. of SEMC workforce members’ familiarity and compliance with SEMC policies and procedures that address the following:
a. transmitting ePHI using unauthorized networks;
b. storing ePHI on unauthorized information systems, including unsecured networks and devices;
c. removal of ePHI from SEMC;
d. prohibition on sharing accounts and passwords for ePHI access or storage;
e. encryption of portable devices that access or store ePHI; and
f. security incident reporting related to ePHI. to:
2. Description of Self-Assessment: Self-Assessment will include, but not be limited
a. Unannounced site visits to five SEMC departments, including the Cardiology Department (the “Covered Departments”) to assess implementation of the policies and procedures described in Section V.A.1.;
b. Interviews with a total of fifteen (15) randomly selected SEMC workforce members who have access to ePHI, thirteen (13) of whom shall be from the Covered Departments— including at least one intern, resident, or fellow, and the remaining two (2) of whom shall be interns, residents, or fellows working in Hematology/Oncology; and
c. Inspection of at least three (3) portable devices at each of the Covered Departments that can access ePHI, including one (1) laptop, one (1) other portable device, such as a tablet or smartphone, and one (1) portable storage media, such as a USB flash drive, randomly selected to ensure that such devices satisfy all applicable requirements of the policies and procedures described in Section V.A.1.
Corrective Action Obligations. ACMHS agrees to the following:
Corrective Action Obligations. NYP agrees to the following:
A. Policies and Procedures
1. NYP shall develop, maintain, and revise, as necessary, its written policies and procedures to comply with the Federal standards that govern the privacy and security of individually identifiable health information (45 C.F.R. Part 160 and Subparts A, C, and E of Part 164, the Privacy and Security Rules). NYP’s policies and procedures shall include, but not be limited to, the minimum content set forth in section V.C.
2. NYP shall provide such policies and procedures, consistent with paragraph 1 above, to HHS within ninety (90) days of the Effective Date for review and approval. Upon receiving any recommended changes to such policies and procedures from HHS, NYP shall have 30 days to revise such policies and procedures accordingly and provide the revised policies and procedures to HHS for review and approval.
3. NYP shall implement such policies and procedures within sixty (60) days of receipt of HHS’ final approval.
Corrective Action Obligations. UM agrees to the following:
