Common use of Security Management Process Clause in Contracts

Security Management Process. 1. UM shall draft an enterprise-wide risk analysis and corresponding risk management plan4 that includes security measures to reduce the risks and vulnerabilities to the electronic protected health information (ePHI) maintained by UM to a reasonable and appropriate level. The risk analysis and corresponding risk management plan shall accurately reflect the enterprise-wide environment and operations of UM that exist at the time the risk analysis and risk management plan are submitted to HHS, including evaluating and addressing any weaknesses in the UM organizational structure (including staff qualifications and authority) responsible for overseeing UM’s compliance with the HIPAA Rules. 2. UM shall provide the updated risk analysis and risk management plan to the Internal Monitor for review and approval within ninety (90) days of HHS’s approval of the Monitor Plan specified in Section V.A.