Security Management Process. 1. Skagit County shall conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by the covered health care components of Skagit County as identified in its hybrid entity documentation approved by HHS. Skagit County shall implement security measures sufficient to reduce the risks and vulnerabilities identified in the risk analysis to a reasonable and appropriate level.
Security Management Process. 1. OHSU shall conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (“ePHI”) held at OHSU, to include all OHSU facilities located in and outside of Portland, Oregon, and all systems, networks, and devices that create, receive, maintain, or transmit ePHI.
Security Management Process. 1. UM shall draft an enterprise-wide risk analysis and corresponding risk management plan4 that includes security measures to reduce the risks and vulnerabilities to the electronic protected health information (ePHI) maintained by UM to a reasonable and appropriate level. The risk analysis and corresponding risk management plan shall accurately reflect the enterprise-wide environment and operations of UM that exist at the time the risk analysis and risk management plan are submitted to HHS, including evaluating and addressing any weaknesses in the UM organizational structure (including staff qualifications and authority) responsible for overseeing UM’s compliance with the HIPAA Rules.
Security Management Process. 1. Within one hundred eighty (180) days of the Effective Date, FIMR shall conduct and provide to OCR an accurate, thorough, FIMR-wide risk analysis that incorporates all electronic equipment, including equipment purchased outside of its standard procurement process, data systems, and applications controlled, administered, or owned by FIMR and its workforce members, that contain, store, transmit or receive FIMR ePHI. As part of this process, FIMR shall develop a complete inventory of all electronic equipment, data systems, and applications that contain or store FIMR ePHI, including personally owned devices, if any, which will then be incorporated in its risk analysis. Upon completion, FIMR shall submit the risk analysis to HHS for HHS' review, and either approval or disapproval, consistent with Section V.A.2, below.
Security Management Process. ACMHS shall annually, as required by ACMHS’ “IT Risk Management” policy and procedure, conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of e-PHI held by ACMHS and document the security measures ACMHS implemented or is implementing to sufficiently reduce the identified risks and vulnerabilities to a reasonable and appropriate level.
Security Management Process. (a) Implement policies and procedures to prevent, detect, contain and correct security violations.
Security Management Process. 1. EHP shall conduct a comprehensive and thorough Risk Analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by EHP. This Risk Analysis shall incorporate all EHP facilities, whether owned or rented, and evaluate the risks to the ePHI on all of its electronic equipment, data systems, and applications controlled, administered or owned by EHP or any EHP entity, that contain, store, transmit, or receive ePHI. Prior to conducting the Risk Analysis, EHP shall develop a complete inventory of all of its facilities, electronic equipment, data systems, and applications that contain or store ePHI that will then be incorporated into its Risk Analysis. EHP may submit a Risk Analysis currently underway for consideration by HHS for compliance with this provision.
Security Management Process. 1. Lahey shall conduct a comprehensive, organization-wide risk analysis of the security risks and vulnerabilities to the ePHI created, received, maintained or transmitted by Lahey that incorporates all of the electronic media, workstations, and information systems owned, controlled or leased by Lahey. The risk analysis shall include all ePHI maintained by Lahey, and include but not be limited to, ePHI stored on and accessed by workstations utilized in connection with diagnostic/laboratory equipment. Security risks and vulnerabilities specific to the ePHI in categories of media, workstations, information systems, may be evaluated as such, provided that there is a reasonable basis on which to believe that such security risks and vulnerabilities are common to the ePHI in each identified category, and the identified and evaluated categories collectively include all of the ePHI created, received, maintained, or transmitted by such media, workstations, and information systems.
Security Management Process. 1. QCA shall provide HHS with a risk analysis and corresponding risk management plan that includes security measures to reduce the risks and vulnerabilities to the electronic protected health information (ePHI) maintained by QCA to a reasonable and appropriate level. The risk analysis and corresponding risk management plan shall accurately reflect the environment and operations of QCA that exist at the time of the risk analysis and risk management plan are submitted to HHS. QCA shall provide the updated risk analysis and risk management plan to HHS for review and approval within sixty (60) days of the Effective Date.
Security Management Process. 3.1.1 Risk Analysis 8
