Common use of Security Management Process Clause in Contracts

Security Management Process. 1. Within one hundred eighty (180) days of the Effective Date, FIMR shall conduct and provide to OCR an accurate, thorough, FIMR-wide risk analysis that incorporates all electronic equipment, including equipment purchased outside of its standard procurement process, data systems, and applications controlled, administered, or owned by FIMR and its workforce members, that contain, store, transmit or receive FIMR ePHI. As part of this process, FIMR shall develop a complete inventory of all electronic equipment, data systems, and applications that contain or store FIMR ePHI, including personally owned devices, if any, which will then be incorporated in its risk analysis. Upon completion, FIMR shall submit the risk analysis to HHS for HHS' review, and either approval or disapproval, consistent with Section V.A.2, below. 2. Within sixty (60) days of its receipt of FIMR’s risk analysis, HHS will inform FIMR in writing as to whether HHS approves or disapproves of the risk analysis. If HHS disapproves of the risk analysis, HHS shall provide FIMR with a written explanation of the basis for its disapproval, including comments and recommendations that FIMR can use to prepare a revised risk analysis. Upon receiving written notice of disapproval by HHS, and a description of any required changes to the risk analysis, FIMR shall have sixty (60) days in which to revise its risk analysis accordingly, and then submit the revised risk analysis to HHS for review and approval or disapproval. In the event that HHS does not approve the revised risk analysis, the process and associated time-frames set forth above shall continue until HHS approves the risk analysis. 3. Within ninety (90) days of receiving HHS’ final approval of the risk analysis, FIMR shall develop an FIMR-wide risk management plan to address and mitigate any security risks and vulnerabilities identified in its risk analysis (“Risk Management Plan” or the “Plan”). The Plan shall include a process and timeline for implementation, evaluation, and revision. The Plan shall be forwarded to HHS for its review consistent with paragraph V.A.4 of this Section. 4. HHS shall review and recommend changes to the aforementioned Risk Management Plan. Upon receiving HHS’ recommended changes in writing, FIMR shall have sixty (60) days to provide HHS with a revised Risk Management Plan. This process shall continue until HHS provides final written approval of the Risk Management Plan. FIMR shall begin implementation of the Plan and distribute copies of the Plan to those workforce members involved with the implementation of the Plan. FIMR shall be responsible for implementing the Risk Management Plan within ninety (90) days of FIMR’s receipt of final approval from HHS, or at such later date as is consistent with the Plan. 5. Once every twelve (12) months during the Compliance Term, FIMR will conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by FIMR, and document the security measures FIMR has implemented or is implementing that are sufficient to reduce the identified risks and vulnerabilities to a reasonable and appropriate level.

Security Management Process. 1. Within one hundred eighty (180) days of the Effective Date, FIMR EHP shall conduct and provide to OCR an accurate, thorough, FIMR-wide risk analysis that incorporates all electronic equipment, including equipment purchased outside of its standard procurement process, data systems, and applications controlled, administered, or owned by FIMR and its workforce members, that contain, store, transmit or receive FIMR ePHI. As part of this process, FIMR shall develop a complete inventory of all electronic equipment, data systems, and applications that contain or store FIMR ePHI, including personally owned devices, if any, which will then be incorporated in its risk analysis. Upon completion, FIMR shall submit the risk analysis to HHS for HHS' review, and either approval or disapproval, consistent with Section V.A.2, below. 2. Within sixty (60) days of its receipt of FIMR’s risk analysis, HHS will inform FIMR in writing as to whether HHS approves or disapproves of the risk analysis. If HHS disapproves of the risk analysis, HHS shall provide FIMR with a written explanation of the basis for its disapproval, including comments and recommendations that FIMR can use to prepare a revised risk analysis. Upon receiving written notice of disapproval by HHS, and a description of any required changes to the risk analysis, FIMR shall have sixty (60) days in which to revise its risk analysis accordingly, and then submit the revised risk analysis to HHS for review and approval or disapproval. In the event that HHS does not approve the revised risk analysis, the process and associated time-frames set forth above shall continue until HHS approves the risk analysis. 3. Within ninety (90) days of receiving HHS’ final approval of the risk analysis, FIMR shall develop an FIMR-wide risk management plan to address and mitigate any security risks and vulnerabilities identified in its risk analysis (“Risk Management Plan” or the “Plan”). The Plan shall include a process and timeline for implementation, evaluation, and revision. The Plan shall be forwarded to HHS for its review consistent with paragraph V.A.4 of this Section. 4. HHS shall review and recommend changes to the aforementioned Risk Management Plan. Upon receiving HHS’ recommended changes in writing, FIMR shall have sixty (60) days to provide HHS with a revised Risk Management Plan. This process shall continue until HHS provides final written approval of the Risk Management Plan. FIMR shall begin implementation of the Plan and distribute copies of the Plan to those workforce members involved with the implementation of the Plan. FIMR shall be responsible for implementing the Risk Management Plan within ninety (90) days of FIMR’s receipt of final approval from HHS, or at such later date as is consistent with the Plan. 5. Once every twelve (12) months during the Compliance Term, FIMR will conduct an accurate comprehensive and thorough assessment Risk Analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI electronic protected health information (ePHI) held by FIMREHP. This Risk Analysis shall incorporate all EHP facilities, whether owned or rented, and document evaluate the risks to the ePHI on all of its electronic equipment, data systems, and applications controlled, administered or owned by EHP or any EHP entity, that contain, store, transmit, or receive ePHI. Prior to conducting the Risk Analysis, EHP shall develop a complete inventory of all of its facilities, electronic equipment, data systems, and applications that contain or store ePHI that will then be incorporated into its Risk Analysis. EHP may submit a Risk Analysis currently underway for consideration by HHS for compliance with this provision. 2. EHP shall provide the Risk Analysis, consistent with section V.A.1, to HHS within one hundred eighty (180) days of the Effective Date for HHS’ review. Within sixty (60) days of its receipt of EHP’s Risk Analysis, HHS will inform EHP whether HHS approves or disapproves of the Risk Analysis. If HHS disapproves of the Risk Analysis, HHS shall provide EHP with technical assistance, as necessary, regarding the basis for disapproval so that EHP may prepare a revised Risk Analysis. EHP shall have sixty (60) days in which to revise its Risk Analysis accordingly, and then submit the revised Risk Analysis to HHS for review and approval. This submission and review process shall continue until HHS approves the Risk Analysis. 3. EHP shall develop an enterprise-wide Risk Management Plan to address and mitigate any security measures FIMR has implemented or is implementing that are sufficient to reduce the identified risks and vulnerabilities found in the Risk Analysis described above. The Risk Management Plan shall include a process and timeline for EHP’s implementation, evaluation, and revision of its risk remediation activities. EHP may submit a Risk Management Plan currently underway for consideration by HHS for compliance with this provision. 4. Within ninety (90) days of HHS’ final approval of the Risk Analysis described in section V.A above, EHP shall submit EHP’s Risk Management Plan to HHS for HHS’ review. Within sixty (60) days of its receipt of EHP’s Risk Management Plan, HHS will inform EHP whether HHS approves the Risk Management Plan or HHS requires revisions. If HHS requires revisions to the Risk Management Plan, HHS shall provide EHP with a reasonable written explanation of the basis of its revisions, including comments and appropriate levelrecommendation that EHP can use to prepare a revised Risk Management Plan. Upon receiving HHS’s notice of required revisions, if any, EHP shall have sixty (60) days in which to revise its Risk Management Plan accordingly, and submit the revised Risk Management Plan to HHS for review and approval. This submission and review process shall continue until HHS approves the Risk Management Plan. Within thirty (30) days of HHS’ approval of the Risk Management Plan, EHP shall finalize and officially adopt the Risk Management Plan in accordance with its applicable administrative procedures and distribute the plan to workforce members involved with implementation of the plan.