Common use of Application Access Clause in Contracts

Application Access. All systems accessible via the internet must employ security controls to prevent access to the application via an asset not approved or owned by the county. • Risk Assessment. Application Service Providers hosting data for HIPAA covered services must conduct an accurate and thorough Risk Assessment as required by HIPAA Security Rule, Security Management (§ 164.308(a)(1)). Further, they must follow the risk assessment methodology, based on the latest version of NIST SP 800-30 (▇▇▇▇://▇▇▇▇.▇▇▇▇.▇▇▇/publications/nistpubs/800-30- rev1/sp800_30_r1.pdf). Upon request, the Risk Assessment findings and remediation strategy must be shared with OCHCA. • NIST. To ensure compliance with HIPAA, Application Service Providers shall implement appropriate security safeguards by following National Institute of Standards and Technology (NIST) guidelines. County of Orange Health Care Agency Page 43 MA-042-17011367

Application Access. All systems accessible via the internet must employ security controls to prevent access to the application via an asset not approved or owned by the county. • Risk Assessment. Application Service Providers hosting data for HIPAA covered services must conduct an accurate and thorough Risk Assessment as required by HIPAA Security Rule, Security Management (§ 164.308(a)(1)). Further, they must follow the risk assessment methodology, based on the latest version of NIST SP 800-30 (▇▇▇▇://▇▇▇▇.▇▇▇▇.▇▇▇/publications/nistpubs/800-30- 30-rev1/sp800_30_r1.pdf). Upon request, the Risk Assessment findings and remediation strategy must be shared with OCHCA. County of Orange MA-042-20012181 Health Care Agency Page 51 of 65 Folder No. C025988 • NIST. To ensure compliance with HIPAA, Application Service Providers shall implement appropriate security safeguards by following National Institute of Standards and Technology (NIST) guidelines. County of Orange Health Care Agency Page 43 MA-042-17011367.