Information System Security Policy Sample Clauses

Information System Security Policy. HealthStream acknowledges that IT&S and its affiliates have an Information System Security Policy (IS.SEC.001 et seq.) relating to the establishment of security measures to protect information assets, whether stored in electronic form, hard copy, or in any other manner, and that it has received a copy of this policy. The Information System Security Policy is also available through IT&S's Internet website at: http://www.hcahealthcare.com/Ethics/Policies/policies.htm. HealthStrea▇ ▇▇▇▇▇▇ ▇▇ ▇▇▇▇▇▇ ▇▇▇▇ the applicable provisions of this Information System Security Policy, as well as Information System Security Standards referenced in the Policy. HealthStream acknowledges that the legal, technical, or business requirements for security of Protected Health Information may change and that IT&S shall have the right to require new policies, processes and procedures, or to require modifications to existing policies, processes and procedures during the term of this Agreement. HealthStream shall either contact in writing the appropriate IT&S representative responsible for the transaction under this Services Agreement or check the above listed website address (or its subsequent replacement) at least on a semiannually basis for the purpose of inquiring as to and/or obtaining any updates to the Information System Security Policy and the Information System Security Standards. Upon receipt of revisions, HealthStream shall submit a plan to IT&S to mitigate security risks associated with the policy and/or standard revisions. In the event that HealthStream can demonstrate that such new or modified requirements would impose inordinate costs on HealthStream, HealthStream shall provide IT&S with written notice, describing in detail the requirement at issue, and HealthStream's calculation of the cost of implementation. Within thirty (30) days of receiving such notice, IT&S may then suggest lower cost implementations or waiving compliance in whole or part with the requirement . IT&S and HealthStream agree that best security practices (e.g., National Institute of Standards and Technology) shall be used as the basis for evaluating a risk mitigation plan.