Corrective Action Obligations. AHP agrees to the following: 1. Within five (5) days of the Effective date, AHP shall use its best efforts to retrieve all photocopier hard drives that were contained in photocopiers previously leased by AHP that remain in the possession of Canon Financial Services, and safeguard all EPHI contained therein from impermissible disclosure. If AHP cannot retrieve said hard drives, AHP shall provide OCR with documentation explaining its “best efforts” and the reason it was unable to retrieve said hard drives. If AHP retrieves said hard drives, AHP shall provide OCR written certification that it has completed the requirements specified in this paragraph. AHP’s compliance with this corrective action will be based on the Region’s review and approval of the documentation explaining why its efforts failed to retrieve the hard drives. 2. Within thirty (30) days of the Effective Date, AHP shall conduct a comprehensive risk analysis of the EPHI security risks and vulnerabilities that incorporates all electronic equipment and systems controlled, owned or leased by AHP. AHP shall also, within this time period develop a plan, to address and mitigate any security risks and vulnerabilities found in this analysis and, if necessary, revise its present policies and procedures. The plan and any revised policies and procedures shall be forwarded to OCR for its review consistent with paragraph 3 below. 3. OCR shall review and recommend changes to the plan and any revised policies and procedures specified in paragraph 2. Upon receiving OCR’s recommended changes, AHP shall have thirty calendar days to provide a revised plan and any revised policies and procedures to OCR for review and approval. AHP shall implement the plan and distribute and train staff members on any revised policies and procedures within thirty (30) calendar days of OCR’s approval.
Appears in 2 contracts
Sources: Resolution Agreement, Resolution Agreement