Common use of Security Management Process Clause in Contracts

Security Management Process. 1. OHSU shall conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (“ePHI”) held at OHSU, to include all OHSU facilities located in and outside of Portland, Oregon, and all systems, networks, and devices that create, receive, maintain, or transmit ePHI. 2. OHSU shall develop a comprehensive risk management plan that explains OHSU’s strategy for implementing security measures sufficient to reduce the risks and vulnerabilities identified in the risk analysis to a reasonable and appropriate level based on OHSU’s circumstances. OHSU’s risk management plan shall include a comprehensive, enterprise-wide plan to implement effective oversight of OHSU workforce members to ensure their adherence to HIPAA Rules and OHSU’s internal privacy and security policies and procedures. For all planned remediation actions, OHSU shall provide specific timelines for their expected completion and identify the compensating controls that will be in place in the interim to safeguard OHSU’s ePHI. 3. Within three hundred ten (310) days of the Effective Date, OHSU shall provide its risk analysis and risk management plan (including implementation dates for such measures and interim compensating controls) to HHS for review and approval. Upon receiving any recommended changes to the risk analysis and risk management plan from HHS, OHSU shall have ninety (90) days to revise the risk analysis and risk management plan and provide the revisions to HHS for review and approval.