Security Management Process. 1. Within one hundred eighty (180) days of the Effective Date, FIMR shall conduct and provide to OCR an accurate, thorough, FIMR-wide risk analysis that incorporates all electronic equipment, including equipment purchased outside of its standard procurement process, data systems, and applications controlled, administered, or owned by FIMR and its workforce members, that contain, store, transmit or receive FIMR ePHI. As part of this process, FIMR shall develop a complete inventory of all electronic equipment, data systems, and applications that contain or store FIMR ePHI, including personally owned devices, if any, which will then be incorporated in its risk analysis. Upon completion, FIMR shall submit the risk analysis to HHS for HHS' review, and either approval or disapproval, consistent with Section V.A.2, below.
2. Within sixty (60) days of its receipt of FIMR’s risk analysis, HHS will inform FIMR in writing as to whether HHS approves or disapproves of the risk analysis. If HHS disapproves of the risk analysis, HHS shall provide FIMR with a written explanation of the basis for its disapproval, including comments and recommendations that FIMR can use to prepare a revised risk analysis. Upon receiving written notice of disapproval by HHS, and a description of any required changes to the risk analysis, FIMR shall have sixty (60) days in which to revise its risk analysis accordingly, and then submit the revised risk analysis to HHS for review and approval or disapproval. In the event that HHS does not approve the revised risk analysis, the process and associated time-frames set forth above shall continue until HHS approves the risk analysis.
3. Within ninety (90) days of receiving HHS’ final approval of the risk analysis, FIMR shall develop an FIMR-wide risk management plan to address and mitigate any security risks and vulnerabilities identified in its risk analysis (“Risk Management Plan” or the “Plan”). The Plan shall include a process and timeline for implementation, evaluation, and revision. The Plan shall be forwarded to HHS for its review consistent with paragraph V.A.4 of this Section.
4. HHS shall review and recommend changes to the aforementioned Risk Management Plan. Upon receiving HHS’ recommended changes in writing, FIMR shall have sixty (60) days to provide HHS with a revised Risk Management Plan. This process shall continue until HHS provides final written approval of the Risk Management Plan. FIMR shall begin implementation of the Plan and d...
Security Management Process. 1. OHSU shall conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (“ePHI”) held at OHSU, to include all OHSU facilities located in and outside of Portland, Oregon, and all systems, networks, and devices that create, receive, maintain, or transmit ePHI.
2. OHSU shall develop a comprehensive risk management plan that explains OHSU’s strategy for implementing security measures sufficient to reduce the risks and vulnerabilities identified in the risk analysis to a reasonable and appropriate level based on OHSU’s circumstances. OHSU’s risk management plan shall include a comprehensive, enterprise-wide plan to implement effective oversight of OHSU workforce members to ensure their adherence to HIPAA Rules and OHSU’s internal privacy and security policies and procedures. For all planned remediation actions, OHSU shall provide specific timelines for their expected completion and identify the compensating controls that will be in place in the interim to safeguard OHSU’s ePHI.
3. Within three hundred ten (310) days of the Effective Date, OHSU shall provide its risk analysis and risk management plan (including implementation dates for such measures and interim compensating controls) to HHS for review and approval. Upon receiving any recommended changes to the risk analysis and risk management plan from HHS, OHSU shall have ninety (90) days to revise the risk analysis and risk management plan and provide the revisions to HHS for review and approval.
Security Management Process. 1. Skagit County shall conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by the covered health care components of Skagit County as identified in its hybrid entity documentation approved by HHS. Skagit County shall implement security measures sufficient to reduce the risks and vulnerabilities identified in the risk analysis to a reasonable and appropriate level.
2. Within 120 days of HHS’s approval of its hybrid entity documentation under section V.C., above, Skagit County shall provide its risk analysis and description of risk management measures (including implementation dates for such measures) to HHS for review and approval. Upon receiving any recommended changes to the risk analysis and description of risk management measures from HHS, Skagit County shall have 60 days to revise the risk analysis and description of risk management measures, and provide the revisions to HHS for review and approval.
Security Management Process. 1. UM shall draft an enterprise-wide risk analysis and corresponding risk management plan4 that includes security measures to reduce the risks and vulnerabilities to the electronic protected health information (ePHI) maintained by UM to a reasonable and appropriate level. The risk analysis and corresponding risk management plan shall accurately reflect the enterprise-wide environment and operations of UM that exist at the time the risk analysis and risk management plan are submitted to HHS, including evaluating and addressing any weaknesses in the UM organizational structure (including staff qualifications and authority) responsible for overseeing UM’s compliance with the HIPAA Rules.
2. UM shall provide the updated risk analysis and risk management plan to the Internal Monitor for review and approval within ninety (90) days of HHS’s approval of the Monitor Plan specified in Section V.A.
Security Management Process. ACMHS shall annually, as required by ACMHS’ “IT Risk Management” policy and procedure, conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of e-PHI held by ACMHS and document the security measures ACMHS implemented or is implementing to sufficiently reduce the identified risks and vulnerabilities to a reasonable and appropriate level.
Security Management Process. As applicable, the Company maintains a security management process to prevent, detect, contain and correct security violations of applications and/or systems that contain ePHI.
Security Management Process. (a) Implement policies and procedures to prevent, detect, contain and correct security violations.
(b) Perform periodic audits (e.g., SAS70) of Vendor’s security controls (i.e., physical and logical security, network configuration, change/problem and vulnerability management and recovery services). Vendor will provide United with copies of such audits upon request Such reports shall be considered Vendor’s confidential information under the Agreement.
Security Management Process. 1. Lahey shall conduct a comprehensive, organization-wide risk analysis of the security risks and vulnerabilities to the ePHI created, received, maintained or transmitted by Lahey that incorporates all of the electronic media, workstations, and information systems owned, controlled or leased by Lahey. The risk analysis shall include all ePHI maintained by Lahey, and include but not be limited to, ePHI stored on and accessed by workstations utilized in connection with diagnostic/laboratory equipment. Security risks and vulnerabilities specific to the ePHI in categories of media, workstations, information systems, may be evaluated as such, provided that there is a reasonable basis on which to believe that such security risks and vulnerabilities are common to the ePHI in each identified category, and the identified and evaluated categories collectively include all of the ePHI created, received, maintained, or transmitted by such media, workstations, and information systems.
2. Within fourteen (14) days of the Effective Date, Lahey shall submit to HHS the methodology by which it proposes to conduct the risk analysis described in paragraph
Security Management Process. 1. QCA shall provide HHS with a risk analysis and corresponding risk management plan that includes security measures to reduce the risks and vulnerabilities to the electronic protected health information (ePHI) maintained by QCA to a reasonable and appropriate level. The risk analysis and corresponding risk management plan shall accurately reflect the environment and operations of QCA that exist at the time of the risk analysis and risk management plan are submitted to HHS. QCA shall provide the updated risk analysis and risk management plan to HHS for review and approval within sixty (60) days of the Effective Date.
2. Upon receiving notice from HHS specifying any required changes, QCA shall make the required changes and provide a revised risk analysis and risk management plan to HHS within thirty (30) days.
Security Management Process. 3.1.1 Risk Analysis 8
3.1.2 Risk Management 8 3.1.3 Sanctions 8 3.1.4 Information System Activity Review 9
